Solved: Re: Can vlan # change from device to device? - Page 5

fbeye · ‎09-25-2021

On Switch 1 I have 10.0.1.0 in vlan 10 and 10.0.2.0 vlan 11.

Can I, on Switch 2, have a vlan 25 10.0.1.0 and vlan 35 10.0.2.0 and 35 talk to 11 (obviously if connected from both switches via Ethernet) and have the [same] subnets communicate or does (for example) subnet 10.0.2.0 need to be same vlan on every Switch/device it’s connected to to see each other?

fbeye · ‎11-06-2021

I assumed I needed DHCP to assign an IP to the Vlan as well as IP’s to the devices.
Also though I will specify the IP’s on the NAS 1 and NAS 2, I am fine with whatever new devices comes and goes (iPad iPhone wifi hame console etc) just grab an ip when it wants.
There really are too many devices for me to [want] to config. But what is your recommended solution/alternative to not having a DHCP Server?

fbeye · ‎11-06-2021

I got home and changed vlan 12 as you mentioned but to no avail.

At least I can now PING everything and tracert but no WWW Access. (from 192.168.5.2)

ping 192.168.5.1

Pinging 192.168.5.1 with 32 bytes of data:
Reply from 192.168.5.1: bytes=32 time=4ms TTL=255
Reply from 192.168.5.1: bytes=32 time=1ms TTL=255
Reply from 192.168.5.1: bytes=32 time=2ms TTL=255
Reply from 192.168.5.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.5.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 4ms, Average = 2ms

ping 192.168.1.7

Pinging 192.168.1.7 with 32 bytes of data:
Reply from 192.168.1.7: bytes=32 time=2ms TTL=255
Reply from 192.168.1.7: bytes=32 time=1ms TTL=255
Reply from 192.168.1.7: bytes=32 time=1ms TTL=255
Reply from 192.168.1.7: bytes=32 time=2ms TTL=255

Ping statistics for 192.168.1.7:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=254
Reply from 192.168.1.1: bytes=32 time<1ms TTL=254
Reply from 192.168.1.1: bytes=32 time<1ms TTL=254
Reply from 192.168.1.1: bytes=32 time<1ms TTL=254

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

tracert 192.168.1.1

Tracing route to 192.168.1.1 over a maximum of 30 hops

1 1 ms 1 ms 4 ms 192.168.5.1
2 <1 ms <1 ms <1 ms 192.168.1.1

Trace complete.

Here is the running-config;

ip routing
!
ip dhcp excluded-address 192.168.5.1
!
ip dhcp pool inside
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.1.7 255.255.255.0

spanning-tree portfast
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.0.2.124 255.255.255.0
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
no switchport
no ip address
!
interface GigabitEthernet1/0/21
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
!
interface Vlan12
ip address 192.168.5.1 255.255.255.0
ip policy route-map tointernet
!
ip http server
ip http authentication local
ip http secure-server
!
logging esm config
access-list 101 permit ip 192.168.5.0 0.0.0.15 any
access-list 102 permit ip 192.168.5.32 0.0.0.15 any
no cdp run
route-map tointernet permit 10
match ip address 101
set ip next-hop 192.168.1.1
!
route-map tointernet permit 20
match ip address 102
set ip next-hop 10.0.2.1

Richard Burts · ‎11-07-2021

First let me respond about DHCP. You said "I assumed I needed DHCP to assign an IP to the Vlan as well as IP’s to the devices." You certainly do not need DHCP to assign an IP to the vlan. You have done that manually

interface Vlan12
ip address 192.168.5.1 255.255.255.0

You also comment that you do not want to manually configure the numerous devices that may come and go in the network. I sympathize about that. But part of your requirements was that some devices would use D-Link for Internet access and other devices would use ASA for Internet access. That is why you configured PBR. How can you achieve that if DHCP is assigning IP addresses?

You ask about my recommendation about DHCP. For ease of administration I certainly would recommend DHCP. But to achieve control over which devices use D-Link and which devices use ASA I would not recommend DHCP. You sort of have 2 objectives that are mutually contradictory. Which is the most important to you?

Then let me address the problem that you can not access the Internet. I do not believe that this is anything to do with the Catalyst configuration. Your ping and tracert show that you get to the ASA. But you do not get past the ASA. So this is not an issue about the switch. I believe that the problem is that the ASA (and the D-Link when you get to it) are not doing address translation for the 192.168.5.0 network. Clearly they were configured to translate addresses when you were using vlans 10 and 11 for devices. Now they need to be configured to translate the new network.

HTH

Rick

fbeye · ‎11-07-2021

Morning

Alright yes, you are correct, though I wasn’t intentionally trying to contradict. Being they are 2 different approaches that either use PBR or not, then I will indeed stick with manually assigning IP’s as you mentioned I already had with the simple fact of interface vlan 12. I just meant I thought a server needed to be active for the devices to communicate. Simplicity sake, I’ll not use dhcp server;

So all this gets omitted?

ip dhcp excluded-address 192.168.5.1
!
ip dhcp pool inside
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1

As far as NAT that does make sense And i had, again, assumed that if a range of IP’s was to use the ASA (192.168.1.1) for Internet that it was already “natted” as the ASA has NAT for 192.168.1.1.

As you mentioned NAT obviously worked as it did when we had vlan 10 and 11 but those vlans were directly part of their serving routers. Here when we are adding a new subnet (192.168.5.0) so that sort of confuses me. I can’t double NAT.

192.168.1.7 has NAT on the ASA and 10.0.2.124 has NAT on the DLink.

Not sure how to add another NAT from 192.168.5.0 to the 2 L3 Interfaces, I figured whatever device/IP connects to, let’s say, 192.168.1.7 would already have its NAT.
But I do see how it would need it. Gah!

I do underrated “how does 192.168.5.0 know what 192.168.1.0 is to get internet?” Well I thought that’s what PBR was doing, aside from what goes where.

Being that 5.0 isn’t on the ASA by any means do I still put NAT on the ASA? Being I have PAT currently on ASA 192.168.1.0 to 207.108.x.177 I again am at a loss.
I remember a year or so ago doing NAT like that to an internal device subnet (not on ASA) to access a VPN. Kind of forgot that. NAT 192.168.5.0 to 192.168.1.0 I assume?

—-Correction.

On ASA there is PAT translating (WAN) 207.108.x.177 to 192.168.1.0 (LAN Network). I am to assume anything under “192.168.1.0” when it hits the Internet will have the WAN Address. This means that 192.168.1.7 on the Catalyst GE 1/0/1 Interface is connected and has PAT on the ASA.
Therefore I would assume any device (192.168.5.0) that uses the 192.168.1.7 to the ASA (192.168.1.1) would in turn “share” the PAT and have the correct WAN Address. This has me thinking I need PAT for 192.168.1.7 to be translated to subnet 192.168.5.0? Still seems like a double NAT.

Richard Burts · ‎11-07-2021

I certainly understand that " I wasn’t intentionally trying to contradict" The contradiction was not intentional but just happened as you explore various options. I believe that you have made the correct choice in using PBR and manual configuration of the network devices. And it occurs to me that perhaps there is another option that we might explore. Is it perhaps the case that for some devices in the network you do care how they access the Internet (some should use D-Link while others should use ASA) but for other devices (particularly some who come and go) you do not really care which path they use for Internet access? If that is the case then you might set up one range of addresses (perhaps 129 through 191 for D-Liink device manual configuration, 193 through 254 for ASA device manual configuration) and configure a DHCP pool (perhaps 1 through 127) for the other devices. Then modify acl 101 so that it matches 192 through 255. PBR would then send that block to the ASA. Modify acl 102 so that it matches 192.168.5.0/24 and this will send all other traffic to D-Link.

As far as NAT is concerned you need to do it somewhere and the Catalyst does not support NAT. So it needs to be done on the D-Link and on the ASA.

HTH

Rick

fbeye · ‎11-07-2021

Alright… I like what you said about the keeping 2 ranges outside of the DHCP Server and then the ‘come and go’ would be just as that on the Server. I will do this exactly after I get success to the Internet.

So as to not overload my brain I will currently only work with the the ASA and routing.

So, I understand what needs to be done and yet I am still on the fence.

If on the ASA I have PAT from 207.108.x.177 to 192.168.1.0 would I create a PAT from 192.168.1.7 to 192.168.5.0?

Why am I struggling over this so much I think it’s due to my confidence in disarray I’m starting to question everything.

fbeye · ‎11-07-2021

After crying and shaking as I held my knees on the closet floor with numerous failed attempts, I tried one final configuration.

As best I can explain I created this Dynamic PAT;

name- newlan

type-network

ip address- 192.168.5.0

netmask-255.255.255.0

dynamic pat

translated address -outside {interface}

And when I connect anything on new lane 192.168.5.2-15 it has 207.208.x.177 WAN IP and when I connect anything 192.168.5.32-47 it has my VPN Outside WAN IP.

So, it is working as WE intended and I could never ever never have gotten this without your help. As you well know OVER a year under many facades with the same issue I have been seeking help with this. We finally got it, to this point.

#1, Depending on where they reside on the new subnet, they connect to the internet, and surf, on their correct WAN IP

#2, We got the routing set correct so 192.168.1.0 sees 10.0.2.0 and reverse through the new Subnet/ 192.168.5.0

#3, I did notice, if any device is on DHCP Config, it will grab whatever IP it want's in the correct subnet but never translates over a DNS Server so no Internet. If I manually inout an IP address and DNS, works like a charm.

On the Catalyst if I set 'dns-server 8.8.8.8 or even 192.168.5.1 or 192.168.1.1' it won't help, only if I manually input it on the Host.

Please do correct my PAT Config if it is correct or sloppy if needed. If you have any advice on DNS I would love that as well.

Richard Burts · ‎11-08-2021

We are making good progress. As for #3, looking at the posted config the DHCP pool does not have an entry for DNS server. Add an entry in the DHCP pool for dns server and I believe that issue will be resolved.

I do not see anything that I would suggest changing about your PAT config.

HTH

Rick

fbeye · ‎11-08-2021

Morning

Funny you mention that. Last night I added the dns-server and after a bit turned my XBox on and it grabbed everything automatically and worked fine.
So yeah, this whole thing is finally done.
Thank you again you’ve taught me to think differently and approach some of this stuff from a different angle.

.. Until my next project.

M.M

Richard Burts · ‎11-08-2021

M.M

I am glad to know that it is now working as you wanted. It has been a long discussion and I am pleased that one result is that you now think about some things differently. There is a lot to learn about networking, and you are making progress. I look forward to your next project. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick