Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
1
Helpful
3
Replies

Configure this structure behind ISP ONR, vlan, port forward, dhcp, ip6

iewhf02i
Level 1
Level 1

‎05-22-2023 04:46 AM - edited ‎05-22-2023 01:05 PM

I just want to know if the configuration in the last diagram below is possible. And of course if I can get some advice on setting up the router and switch configs that would be greatly appreciated as well as this is my first time using Cisco IOS.

So below is a model of the network I currently have. I am using the 2 CBS switches (cbs250 and cbs350) as passive switches.

iewhf02i_1-1684754789903.png

I am currently using the ISP router to assign IP addresses based on the device mac addresses. However, it only lets me assign 16 addresses. I am also able to access ipv6 websites. My ISP does not allow me to disable the ONR and turn it into bridge mode. I am stuck with it.

Using my ONR, I have opened up a port 51200 for 192.168.1.14 for my wireguard server.

I tried to create 2 vlans in the config above at first without a router but I was unable to connect the devices from vlan2 to the internet, however the devices on vlan1 were able to connect to the internet. I posted about it here and was able to get some help https://community.cisco.com/t5/switching/cbs350-vlan2-cannot-access-internet-but-can-access-other-vlan/m-p/4840049#M544631

So I went looking for a cisco router, and I got one, I also did not realise that the c921-4p only has an IOS interface and no web gui, it took me a while to figure out how it worked to just get the internet started on one of the ports but I think I can figure out how to do the rest after reading the documentation, I just want to know if I will be able to set up the following network structure below before I undertake this task. I think it’s called router on a stick.

1. I want to separate my work and home networks allowing some devices to overlap (the Synology NAS for now).

2. I also need to be able to forward some ports on my ONR and I am unsure how (for my wireguard server), am I supposed to forward it twice? I am told I will have double NAT with this config and I will have to port forward twice, once from the c921 and once from the ONR? How do I get the ONR to read the addresses from the c921? I have managed to set the c921 as a router in a second port from my ONR and it has an ip address of 192.168.1.102 and have a laptop plugged in that’s as far as I have gotten so far.

3. I also need to activate ipv6 on the devices (ONR already has it turned on).

4. I also need to be able to assign IP addresses to my devices using the MAC addresses, for example I also have some wireless devices that will be connected to the ASUS routers which I want to assign, I saw that the CBS350 has a DHCP server which can do that for me so I hope that won't be an issue.

 

iewhf02i_0-1684754540966.png

Any help would be greatly appreciated. Thanks!

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎05-24-2023 07:00 AM

Much of what you describe can be achieved with the Cisco router and 2 switches. In general this is how I suggest it should be done:

- connection from ISP to router would be a routed interface. Probably using DHCP for the router to learn an IP address for its interface, and perhaps learn a default route from the ISP. If a default route is not learned using DHCP then a default route would need to be configured.

- connection from router to first switch would be configured as a trunk carrying both vlans. Configure subinterfaces on the interface to process each of the vians. The subinterfaces would have IP addresses for its vlan subnet.

- you probably want to configure DHCP for both subnets of the vlans on the router. This would configure the subnet, mask, and the router would serve as the default gateway for the subnet. You mention DHCP on the switch but I believe that this would be more complicated and doing it on the router would be better.

- the connection from switch 1 to switch 2 would be configured as a trunk carrying both vlans.

- the drawing shows the same IP address 10.0.1.254 on both switches. the switches can not use the same IP. And other than for management purposes the switches do not necessarily need IP addresses.

- do not enable routing on either switch and let the router do the routing. That will make separation of the vlans much easier.

- on the router configure Network Address Translation for the subnets of both vlans.

If you configure this way both vlans should have access to Internet. And by default the vlans would have access to each other. If you want to keep them separate then configure and access list on the router and apply it to the subinterfaces for the vlans. I would suggest apply the access list outbound on the subinterface. In the access list you would have statements to permit Synology and any other device that needs to access both vlans, then it would deny addresses from the other vlan to the vlan being configured, and then it would permit all other traffic.

HTH

Rick

iewhf02i
Level 1
Level 1
In response to Richard Burts

‎05-24-2023 07:39 AM - edited ‎05-24-2023 05:32 PM

Wow thanks for this. For the first point, you mean setting the route on the Cisco router right, don’t know if I can set anything like that on my ONR.

can both switches share both vlan1 and vlan2? Doesn’t that mean they have to share both subnets as well?

also about ipv6, how do I make sure all my devices have access to ipv6 websites?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to iewhf02i

‎05-25-2023 10:27 AM

You are welcome. For the first point yes I mean configuring routes on the Cisco router. If your NAT is configured right and your routing is right then the ONR will not need any knowledge of the networks inside your environment.

Yes in the way that I described the configuration with the switches connected using a trunk both switches would share both vlans and share both subnets (but in fact the switches would have no knowledge of the subnets).

The ISR 921 router does support ipv6. To make sure that your devices have access to ipv6 websites you need to have a way for your devices to get ipv6 addresses, to configure ipv6 addresses on the appropriate interfaces of your router, and to provide ipv6 routing. I do not have experience with the 921 router so am not able to give you much more insight about the details of how to do that.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card