09-06-2011 12:47 AM - edited 03-07-2019 02:03 AM
Hi Experts,
Please check the attached diagram. The modem is having a dynamic public IP.
I need to setup two vlans. one for voice and other for data. IP phones are connected to 2960 switch and servers are connected to 3550 switch.
All the servers are using LAN ip of DSL modem as gate way.
i tried to make 1811 router as VTP server and other two switches as VTP client. But Vlan information are not passing.So i removed that configuration.
Some of the servers need to have public IPs. DSL modem is NAT capable i think.
my questions are
1. with the current setup i wont be able to configure seperate vlan right? because all the network is having one default gateway.
2. If i change ips between LAN of Modem and 1811 router to public IP , then i willbe configure two vlans, right?
3. is it possible to configure NAT in the current scenario?
4. Is it possible to configure NAT if i caonfigure public IP between Modem and router?
My need is as below:
1) I want to configure two valn to seperate Ip phone and servers. currently they are in same vlan.
2) servers need to access internet
3) I need to give a public IP to the exchange server
4) I need to secure the entire network
Please suggest your valid informations
Solved! Go to Solution.
09-06-2011 10:48 PM
i think you need to speak to your ISP about this they can give static one
just search on the net about ports required for OWA and use the NAT/PAT example above to configure port forwarding
if you want to acccess it OWA via name then you need to have a DNS setup in your ISP to resolve to the static IP you have
good luck
09-06-2011 01:42 AM
Hi There
see answers as bellow
1) do you want to use both vlans in both siwtches or each switch has to have one vlan
case1:
each switch has its own vlan then configure the router port connected in each switch with the relevant ip to be the default gateway for that vlan
case2 both siwtch they have to have both vlans :
in this case you need either to connect the 2960 to the 3550 and enable routing in the 3550 and add trunk link between the 2960 and 3550
or to connect the siwthces thorugh trunk link and in the router connected to the 3550 using trunk port in the siwtch and in the router configure subinterface for each vlan ( router on Stick )
example:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml
2960--Trunk---3550---trunk---Router----
2) foir internet access you can controlt using ACLs and NAT
if you are going to do NAT then NAT only traffic sourced from Servers IPs and use ACL in the router to block any traffic coming from other than the servers IPs to go out of the outbound interface to the DSL modem in the outbound direction
example
servers IPs lets say 10.1.1.0/24 and you do not nat in the router here
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
deny ip any any
int fax/x -- -outbound interface
ip access-group 100 output
3) if your DSL can do bsic NATing then just do NATing/portforwarding to the internal IP of the server
asusming the DSL can have basic static routing to point to the internal router for the internal subnets such ash 10.1.1.0
if you have neough public ips and configure the interfaces between the DSLmodem and the router using public IPs then you can use the router to do better NATing using policy NAT to control what to be NAted
4) for security use the links bellow
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
http://www.dslreports.com/faq/7766
HTH
if helpful Rate
09-06-2011 08:23 PM
Hi
Thanks for your reply.....
Suppose i have two VLANs and these vlan is for each switch. No intervlan communiation --> like your first case.
Assume i dont have enough public IP to configure between router and modem. So I am having only one private gateway that is configured on the modem. Currently all the servers and IPphone are in the range same as the IP range between modem and router. If i intend to create new vlans, it should be in the different network, right?
So i cant assign gateway as modem's IP. I should assign IP as the IP of the interface that is connected to the switch, right?
Say IP range between router and modem is 10.1.1.0/24. One vlan in 3550 switch in the range 10.1.2.0/24. THe vlan in the switch in the range 10.1.3.0/24. server are connected to the 3550 switch. Ip address of the interface that is connected to the 3550 switch is 10.1.2.1. So I must give gateway for the servers as 10.1.2.1, right?
IP in modem is 10.1.1.1 and in the router is 10.1.1.2.
So how the servers will get internet? Since the gateway of the server's is the ip of the router interface it wont be able to routed to internet, right?
A simple NAT in the router wont work right? because router to modem interface is a private one.........
Will a default route solve the internet access problem??? Default route to the IP of the modem... I think it will resolve the internet problem...
But how can i NAT servers private IP to public IP? NAT in the modem wont work, right? Since it doesn't have any route to the servers IP range... Also i am not prefering NAT in the Modem, since I am having a firewall capable ISR 1811 in my office.
So what should i do?
Static route is possible in the modem. i saw something like static route in modem. I think for a time being it will work..
What is your opinion???? Please upadate ASAP
Thanks and Regards
Vipin
09-06-2011 08:48 PM
Hi Vipin,
As told by marwanshawi, you should be using case 1and you would be able to do inter vlan routing with case 1
If you want the router to do the NAT even with one public IP you can do it using overload... on the router interface connecting to the modem ...
have a publuc IP assigned to the router interface connecting to the modem...
and for ACL you can again follow marwanshawi advice....
hope this helps....cheers.....
09-06-2011 09:07 PM
Hi,
NAT in the router is possible only if there is public IP between router and modem, Right?
Thanks
Vipin
09-06-2011 09:10 PM
Hi Vipin
see the bellow example based on your questions above
each switch connected to differnt router interface from the LAN side and no inter valn on the switch ( just L2 switch )
3550:
vlan 10
name Sever_Vlan
interface fax/1 ---- to server with ip 10.1.2.10
switch port mode access
switch port access vlan 10
interface fax/24 ----- to router
switch port mode access
switch port access vlan 10
################
router config
in the router you have the bellow settings
- LAN interface network 10.1.2.0/24
-DSL interface 10.1.1.0/24
-default route point to the DSL modem
- assuming the DSL cannot do NATing then what we can do NATing in the router to nat traffic conifng from the server to appear as it is from the Router IP 10.1.1.2 ( this can be per port )
however the DSL supposed to do simple port forwarding here to forward traffic coming to external Public IP to the router IP for a certain port like smtp and nat traffic goign out its DSL interface
router conifg
interface fax/1 ---- to LAN/3550
ip address 10.1.2.1 255.255.255.0
ip nat inside
interface x/0 --- to DSL
ip address 10.1.1.2 255.255.255.0
ip nat outside
- defaulte route point ot the DSL IP
ip route 0.0.0.0 0.0.0.0 10.1.1.1
for nating config
1- if you want all traffic from any IP from the server network to be NATed to the router external IP 10.1.1.2 use the bellow config
ip access-list 10 permit 10.1.2.0 0.0.255
route-map nat1
match ip address 10
ip nat inside source list route-map nat1 interface fax/0 overload
2- if you want any traffic from server with ip 10.1.1.10 (ONLY ) to be NATed to the external IP of the router use the bellow config
ip nat inside static 10.1.2.10 10.1.1.2
3- if you want specific ports from the server to be nated to the outside interface of the router use the bellow config
ip nat inside static tcp 10.1.2.10 25 10.1.1.2 25 ---- tcp number 25 is smtp you can add more line for any other ports you want
HTH
if helpful Rate
09-06-2011 09:30 PM
Hi marwanshawi,
Thanks For the reply.. I understand it. In this scenario i can do only port forwarding, rigt?
I need a dedicated IP address for the exchange server... It is not possible with the current scenario right???
Thanks
Vipin
09-06-2011 09:37 PM
well if you have spare public IP you could do it
if not just use the static pat/port forwrding to nat what ever ports you need to use for your exchange server
like https/smtp/pop3 ..etc
HTH
pls rate the helpful posts
09-06-2011 10:45 PM
Hi marwanshawi,
Also Modem is having a dynamic public IP only. So how can we portforward???
For owa access and all we need a dedicated IP right???
Thanks
Vipin
09-06-2011 10:48 PM
i think you need to speak to your ISP about this they can give static one
just search on the net about ports required for OWA and use the NAT/PAT example above to configure port forwarding
if you want to acccess it OWA via name then you need to have a DNS setup in your ISP to resolve to the static IP you have
good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide