Solved: 1811 router,2960,3550 switches new design- need advice

vipinrajrc · ‎09-06-2011

Hi Experts,

Please check the attached diagram. The modem is having a dynamic public IP.

I need to setup two vlans. one for voice and other for data. IP phones are connected to 2960 switch and servers are connected to 3550 switch.

All the servers are using LAN ip of DSL modem as gate way.

i tried to make 1811 router as VTP server and other two switches as VTP client. But Vlan information are not passing.So i removed that configuration.

Some of the servers need to have public IPs. DSL modem is NAT capable i think.

my questions are

1. with the current setup i wont be able to configure seperate vlan right? because all the network is having one default gateway.

2. If i change ips between LAN of Modem and 1811 router to public IP , then i willbe configure two vlans, right?

3. is it possible to configure NAT in the current scenario?

4. Is it possible to configure NAT if i caonfigure public IP between Modem and router?

My need is as below:

1) I want to configure two valn to seperate Ip phone and servers. currently they are in same vlan.

2) servers need to access internet

3) I need to give a public IP to the exchange server

4) I need to secure the entire network

Please suggest your valid informations

Thanks and Regards, Vipin

Marwan ALshawi · ‎09-06-2011

i think you need to speak to your ISP about this they can give static one

just search on the net about ports required for OWA and use the NAT/PAT example above to configure port forwarding

if you want to acccess it OWA via name then you need to have a DNS setup in your ISP to resolve to the static IP you have

good luck

View solution in original post

Marwan ALshawi · ‎09-06-2011

Hi There

see answers as bellow

1) do you want to use both vlans in both siwtches or each switch has to have one vlan

case1:

each switch has its own vlan then configure the router port connected in each switch with the relevant ip to be the default gateway for that vlan

case2 both siwtch they have to have both vlans :

in this case you need either to connect the 2960 to the 3550 and enable routing in the 3550 and add trunk link between the 2960 and 3550

or to connect the siwthces thorugh trunk link and in the router connected to the 3550 using trunk port in the siwtch and in the router configure subinterface for each vlan ( router on Stick )

example:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

2960--Trunk---3550---trunk---Router----

2) foir internet access you can controlt using ACLs and NAT

if you are going to do NAT then NAT only traffic sourced from Servers IPs and use ACL in the router to block any traffic coming from other than the servers IPs to go out of the outbound interface to the DSL modem in the outbound direction

example

servers IPs lets say 10.1.1.0/24 and you do not nat in the router here

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

deny ip any any

int fax/x -- -outbound interface

ip access-group 100 output

3) if your DSL can do bsic NATing then just do NATing/portforwarding to the internal IP of the server

asusming the DSL can have basic static routing to point to the internal router for the internal subnets such ash 10.1.1.0

if you have neough public ips and configure the interfaces between the DSLmodem and the router using public IPs then you can use the router to do better NATing using policy NAT to control what to be NAted

4) for security use the links bellow

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

http://www.dslreports.com/faq/7766

HTH

if helpful Rate

vipinrajrc · ‎09-06-2011

Hi

Thanks for your reply.....

Suppose i have two VLANs and these vlan is for each switch. No intervlan communiation --> like your first case.

Assume i dont have enough public IP to configure between router and modem. So I am having only one private gateway that is configured on the modem. Currently all the servers and IPphone are in the range same as the IP range between modem and router. If i intend to create new vlans, it should be in the different network, right?

So i cant assign gateway as modem's IP. I should assign IP as the IP of the interface that is connected to the switch, right?

Say IP range between router and modem is 10.1.1.0/24. One vlan in 3550 switch in the range 10.1.2.0/24. THe vlan in the switch in the range 10.1.3.0/24. server are connected to the 3550 switch. Ip address of the interface that is connected to the 3550 switch is 10.1.2.1. So I must give gateway for the servers as 10.1.2.1, right?

IP in modem is 10.1.1.1 and in the router is 10.1.1.2.

So how the servers will get internet? Since the gateway of the server's is the ip of the router interface it wont be able to routed to internet, right?

A simple NAT in the router wont work right? because router to modem interface is a private one.........

Will a default route solve the internet access problem??? Default route to the IP of the modem... I think it will resolve the internet problem...

But how can i NAT servers private IP to public IP? NAT in the modem wont work, right? Since it doesn't have any route to the servers IP range... Also i am not prefering NAT in the Modem, since I am having a firewall capable ISR 1811 in my office.

So what should i do?

Static route is possible in the modem. i saw something like static route in modem. I think for a time being it will work..

What is your opinion???? Please upadate ASAP

Thanks and Regards

Vipin

Thanks and Regards, Vipin

catalystexpress · ‎09-06-2011

Hi Vipin,

As told by marwanshawi, you should be using case 1and you would be able to do inter vlan routing with case 1

If you want the router to do the NAT even with one public IP you can do it using overload... on the router interface connecting to the modem ...

have a publuc IP assigned to the router interface connecting to the modem...

and for ACL you can again follow marwanshawi advice....

hope this helps....cheers.....

vipinrajrc · ‎09-06-2011

Hi,

NAT in the router is possible only if there is public IP between router and modem, Right?

Thanks

Vipin

Thanks and Regards, Vipin

Marwan ALshawi · ‎09-06-2011

Hi Vipin

see the bellow example based on your questions above

each switch connected to differnt router interface from the LAN side and no inter valn on the switch ( just L2 switch )

3550:

vlan 10

name Sever_Vlan

interface fax/1 ---- to server with ip 10.1.2.10

switch port mode access

switch port access vlan 10

interface fax/24 ----- to router

switch port mode access

switch port access vlan 10

################

router config

in the router you have the bellow settings

- LAN interface network 10.1.2.0/24

-DSL interface 10.1.1.0/24

-default route point to the DSL modem

- assuming the DSL cannot do NATing then what we can do NATing in the router to nat traffic conifng from the server to appear as it is from the Router IP 10.1.1.2 ( this can be per port )

however the DSL supposed to do simple port forwarding here to forward traffic coming to external Public IP to the router IP for a certain port like smtp and nat traffic goign out its DSL interface

router conifg

interface fax/1 ---- to LAN/3550

ip address 10.1.2.1 255.255.255.0

ip nat inside

interface x/0 --- to DSL

ip address 10.1.1.2 255.255.255.0

ip nat outside

- defaulte route point ot the DSL IP

ip route 0.0.0.0 0.0.0.0 10.1.1.1

for nating config

1- if you want all traffic from any IP from the server network to be NATed to the router external IP 10.1.1.2 use the bellow config

ip access-list 10 permit 10.1.2.0 0.0.255

route-map nat1

match ip address 10

ip nat inside source list route-map nat1 interface fax/0 overload

2- if you want any traffic from server with ip 10.1.1.10 (ONLY ) to be NATed to the external IP of the router use the bellow config

ip nat inside static 10.1.2.10 10.1.1.2

3- if you want specific ports from the server to be nated to the outside interface of the router use the bellow config

ip nat inside static tcp 10.1.2.10 25 10.1.1.2 25 ---- tcp number 25 is smtp you can add more line for any other ports you want

HTH

if helpful Rate

vipinrajrc · ‎09-06-2011

Hi marwanshawi,

Thanks For the reply.. I understand it. In this scenario i can do only port forwarding, rigt?

I need a dedicated IP address for the exchange server... It is not possible with the current scenario right???

Thanks

Vipin

Thanks and Regards, Vipin

Marwan ALshawi · ‎09-06-2011

well if you have spare public IP you could do it

if not just use the static pat/port forwrding to nat what ever ports you need to use for your exchange server

like https/smtp/pop3 ..etc

HTH

pls rate the helpful posts

vipinrajrc · ‎09-06-2011

Hi marwanshawi,

Also Modem is having a dynamic public IP only. So how can we portforward???

For owa access and all we need a dedicated IP right???

Thanks

Vipin

Thanks and Regards, Vipin

Marwan ALshawi · ‎09-06-2011

i think you need to speak to your ISP about this they can give static one

just search on the net about ports required for OWA and use the NAT/PAT example above to configure port forwarding

if you want to acccess it OWA via name then you need to have a DNS setup in your ISP to resolve to the static IP you have

good luck