Re: Cisco 3350 Switch - 30 VLANs with Public IP's ?

s.nasheet · ‎11-29-2009

Hi ,

I have to configure Cisco 3550 switch L3 that will allow 30 offices all within the same big building to share internet. Each office will have around 5-10 Pc's/Servers. Severs'( Email/Web) need to accessiable from internet. Pc's from one office should not be able to talk to the Pc's in other offices. Each office will have there own router/switch ( for NATing ) which will be connected to Cisco 3550 via Ethernet cable.

10MB Internet will be terminiated on Cisco 3350's fastethernet interface and from there it will be distributed to each office. I have more than 30 public IP address available to support this desing.

I was thinking to create 30 VLANS's ( one for each office ) and assign a public IP to each vlan interface but form that point onward, I can't think how to configure of the network ?

Please see the attached diagram to undestand what I am trying to achieve.

All I need is to provide a ethernet socket to each office with internet connection( one public IP is needed to each office) where each office will plug there own router/switch for Internet connectivity and LAN.

Can you think of the easites way to configure this network ?

Many thanks for your advise.

Regards,

Jon Marshall · ‎11-29-2009

Can you add the diagram. If visio can you post in .jpg/.png format.

Jon

s.nasheet · ‎11-29-2009

Hi ,

Please see the attached daigram ( not very well laid)

Regards

Jon Marshall · ‎11-29-2009

Still not seeing the diagram ??

s.nasheet · ‎11-29-2009

Jon ,

Sorry Can't attach power point diagram for some strange reason. Can I email ?

Regards

Jon Marshall · ‎11-29-2009

jms.123@hotmail.co.uk

s.nasheet · ‎11-29-2009

Jon ,

Email has sent. Thanks for your help.

Jon Marshall · ‎11-29-2009

Yep, just got it. I have converted to .pdf and attached so others can get involved if they want.

Jon Marshall · ‎11-29-2009

Update - i'm being a bit thick at the moment and got confused between pix/ASA NAT and router NAT. The public IP does need to be allocated to an interface.

Give me a moment and i'll sort it out

Jon

Jon Marshall · ‎11-29-2009

Okay, you do need to allocate the public IP to an interface, sorry on the firewalls you don't have to and i got a bit mixed up !

Assuming that the customer routers are Cisco and using the previous example this is what customer 1 router would look like. We will assume they want to NAT all internal clients to the public IP for internet access and also to present a mail server with this address. Mail server address is 192.168.1.10. So -

customer router

===========

int loopback 10

ip address 195.17.17.1 255.255.255.255

int fa0/0 <--- this is customer internal LAN

ip address 192.168.1.1 255.255.255.0

int fa0/1 <--- this connects to 3550 switch as per previous thread

ip address 192.168.5.2 255.255.255.252

ip nat inside source list 101 interface loopback 10 overload

access-list 101 permit 192.168.1.0 0.0.0.255 any

the above 2 lines take care of Natting/Patting all internal clients to 195.17.17.1.

ip nat inside source static tcp 192.168.1.10 25 195.17.17.1 25

the above line takes care of the mail server

ip route 0.0.0.0 0.0.0.0 192.168.5.2 <--- this is default route so all traffic goes to 3550

Jon

Reza Sharifi · ‎11-29-2009

Jon,

ip route 0.0.0.0 0.0.0.0 192.168.5.2 <--- this is default route so all traffic goes to 3550

I think there is small typo here

it should be 192.168.5.1 (the interface of the 3550)

Thanks,

Reza

Jon Marshall · ‎11-29-2009

sharifimr wrote:

Jon,

ip route 0.0.0.0 0.0.0.0 192.168.5.2 <--- this is default route so all traffic goes to 3550

I think there is small typo here

it should be 192.168.5.1 (the interface of the 3550)

Thanks,

Reza

Reza

Yep, thanks for the correction

Jon

Jon Marshall · ‎11-29-2009

s.nasheet wrote:
Hi ,
I have to configure Cisco 3550 switch L3  that will allow 30 offices all within the same big building to share internet. Each office will have around 5-10 Pc's/Servers. Severs'( Email/Web) need to accessiable from internet. Pc's from one office should not be able to talk to the Pc's in other offices. Each office will have there own router/switch ( for NATing ) which will be connected to Cisco 3550 via Ethernet cable.
 10MB Internet will be terminiated on Cisco 3350's fastethernet interface and from there it will be distributed to each office. I have more than 30 public IP address available to support this desing.
I was thinking to create 30 VLANS's ( one for each office ) and assign a public IP to each vlan interface but form that point onward, I can't think how to configure of the network ?
Please see the attached diagram to undestand what I am trying to achieve.
All I need is to provide a ethernet socket to each office with internet connection( one public IP is needed to each office)  where each office will plug there own router/switch for Internet connectivity and LAN.
Can you think of the easites way to configure this network ?
Many thanks for  your advise.
Regards,

The 3550 will not do NAT. If you allocate the public IP for each customer on your 3550 then how will you NAT the customer addresses.

The customer will need the public IP to NAT their internal addressing and their web/e-mail servers. So you will need to create private addressed connections from the 3550 to each customer. Personally i would make each port on the 3550 connecting to a customer a routed port. So as an example lets do customer 1

Allocate one of your public IPs to customer 1 eg. 195.17.17.1

on the 3550

========

int gi0/1

no switchport

ip address 192.168.5.1 255.255.255.252

ip route 0.0.0.0 0.0.0.0 <-- this is for the 3550 to route to the Internet.

ip route 195.17.17.1 255.255.255.255 192.168.5.2 <-- this is for the 3550 to be able to route return traffic to the correct customer

on the customer router

================

interface that connects to 3550

int fa0/1

ip address 192.168.5.2 255.255.255.252

they will then need to use their public IP to NAT internal hosts and for their servers. Note the public IP does not need to be allocated to any interface on the customer router and actually with this setup they can't allocate it to any interface.

Note also that you will need to agree an addressing scheme for all customers so that the network you use to connect their router to the switch does not overlap with their addressing or any of the other customers networks.

Then you can apply standard acls to the routed ports on the 3550 to make sure each customer can only go to the Internet.

If you had enough public addressing to have 2 IPs per customer then you don't really need the above private addressed link between 3550 and customer router but it sounds like you don't.

You are also totally reliant on the customer being able to do NAT because you can't.

Jon

s.nasheet · ‎11-29-2009

Jon ,

First solution looks bit complicated to me as I mght need to create 30 static router for reach customer to return traffic to appropriate customer plus I need to ask every customer to change there LAN addresing which seems bit hard at this stage.

Solution two regarding the 2 IP's per customer, at the minute I don't have 2 IP's per customer but I can ask ISP to proivde more IP's so 2 IP's for each customer and it should not be a problem to have more public IP's.

Lets say I managed to get 2 IP's per customer then how will I need to design the network.

Regards.

Jon Marshall · ‎11-29-2009

s.nasheet wrote:
Jon ,
First solution looks bit complicated to me as I mght need to create 30 static router for reach customer to return traffic to appropriate customer plus I need to ask every  customer to change there LAN addresing which seems bit hard at this stage.
 Solution two  regarding the 2 IP's per customer, at the minute I don't have 2 IP's per customer but I can ask ISP to proivde more IP's  so 2 IP's  for each customer and it should not be a problem to have more public IP's.
Lets say I managed to get 2 IP's per customer then how will I need  to design the network.
Regards.

You do need the static routes but only one per customer not 30 for each customer. You don't need to ask customer to change IP addressing. You just need to make sure that the addressing you use for the P2P link between the customer router and the 3550 does not overlap with any of their private addressing.

If you had 2 IPs per customer then as i said it will be a lot simpler, i just assumed you didn't have them. If you do, you simply use the public IPs, 2 per customer, on the point to point link between the customer router and the 3550 and then you don't need the loopback on the customer router and you do not need the static routes on the 3550.

You can either still use routed ports on the 3550 or you could use vlan interfaces if you wanted to.

Jon