I currently have a catalyst 3560 switch between the clients and the routers, i had enabled IP ROUTING on the switch, set the internet router as the default gateway with 0.0.0.0 0.0.0.0 (ip add of internet router).

Still yet the clients were still getting their ip addresses from the VPN Router.

Am thinking of these two options: (i) Disable  Dhcp on the VPN Router and make the Internet router the DHCP server.

(ii) Configure the Lan IP add of the VPN router in same subnet with Internet LAN.

What other configurations examples can you assist me with on the switch?

thanks

Hi

kindly do as per below configuration.

1> configure catalyst 3560 as a core switch.

2> terminate both link(internet and VPN) on core switch.

3> create 2 different subnet on core SW.

4> configure default route towards internet.

5> configure static route(for VPN user) towards VPN gateway(Benefits:- all user can access internet and specific user can access VPN services).

6> Also configure DHCP on core SW only.

Thanks,

Gaurav

This would have been perfect Gaurav but the only draw back now is the 5th point:

5> configure static route(for VPN user) towards VPN gateway(Benefits:- all user can access internet and specific user can access VPN services).

In this my case, all users wants both the internet and the VPN. 

How do i rectify this issue?

Thanks so far

That's fine and they will be able to do that.

The Static Route towards the VPN router will be for destinations which exist on the other side of the VPN.

You would create static routes for all the Private IP ranges which need to be accessible across the VPN and set the next hop to the VPN routers LAN address. 

For example, lets assume all your Private Ranges which exist on the other side of the VPN are within the 172.16.0.0 /16 range, your routes would be:

ip route 172.16.0.0 255.255.0.0 192.168.1.1

The command above would send all packets destined for 172.16.x.x to 192.168.1.1 or whatever the LAN interface address is of your VPN router.

You would then use a default route towards your Internet router

ip route 0.0.0.0 0.0.0.0 192.168.2.1

You need two subnets, one to sit between the 3560 and the Internet Router and Another to sit between the 3560 and the VPN Router.

On the 3560, you can either use SVI interfaces and simply put the ports into Vlans or use the no switchport command and give the interfaces which go to the Routers an IP address directly.

Hope this helps

My problem here is with the DHCP;

do i have to create individual dhcp for both vlan interfaces or create it as subinterfaces as we do on routers?

Create the DHCP scope on the 3560 for the LAN hosts which are going to hang off it.

Make the 3560 the default gateway for your hosts.

Once the packets hit the default gateway (i.e the 3560) they will either use the routes towards the VPN router or the default route if they are packets destined for the internet.

I am working it out with what the direction you are giving me, this is where i am fixed now;

( On the 3560, you can either use SVI interfaces and simply put the ports into Vlans or use the no switchport command and give the interfaces which go to the Routers an IP address directly)

on the assumption that i am going with 192.168.1.1 for INT router & 192.168.2.1 for VPN router. I am connecting FA0/0 to INT Router and FA0/1 to VPN Router both with the no switchport command. 

Now i have created 2 vlans : 1 for 192.168.1.1 another for 192.168.2.1 both on the switch and i have created dhcp pools to match that too. 

Right now going by the nature of this deployment, since i want all the ports to access both INT & VPN, how do i assign them to both vlans? 

Dhcp scope has also been set for both vlans but it seems the users pc are getting random addresses.

what do i do?

Hmmm, I think you are misunderstanding how this is going to work.

You need to separate your 'WAN' side from your 'LAN' side.

The host which are plugged into your 3560 will be part of a Vlan, say Vlan 2 for example, which has a Subnet address of 10.10.10.0 /24. You would configure an SVI on the 3560 to act as the hosts default gateway. You would then configure DHCP on the 3560 and ensure the default router for this DHCP scope listed the SVI IP address that you just created for Vlan 2.

This is your LAN bit done

Then you need to create some Layer 3 links between the 3560 and the Routers. The Layer 3 links will not be part of your LAN as such, they will be dedicated subnets that sit between the Routers and the 3560.

Effectively your 3560 is acting as a Router (forwarding packets towards the VPN and Internet devices) and a Switch for the connected hosts.

Hope this helps.

If you are stuck after reading what I have written, it may be worth looking at getting someone in who can set this up for you in the short term and then looking at the CCNA track in the long term if its stuff you want to do yourself. 

you can configure DHCP on both device(switch and router). If you will configure on switch, that would be best.

hi ,

AS per my understanding your requirement is that " All users wants to access both internet and VPN services), for this requirement this is the best configuration.

Regards,

Gaurav

ok Gaurav,

The issue here is not with the routes, am having issues with the dhcp and vlans.

Firstly, Since i am creating 2 Vlans, lets say 192.168.1.1 and 192.168.2.1, does that mean i have to create 2 dhcp scope? 

Secondly, how will the client know which vlan to attach to, do i have to assign all the ports to both vlans, if yes, how?

i appreciate your educating me.

Hi,

kindly refer below :-

1> supposed you have created 2 vlans( 10&20).

2>Assign IP 192.168.1.1 to vlan 10 and IP 192.168.2.1 to vlan 20.

3> kindly refer attachment.

4> you can use less IP address after terminating both link(internet and VPN) on core sw.

5> yes you have to create 2 DHCP scope, through access port user will get the IP address and will forward to the destination.

Regards,

Gaurav

A billion thanks to you, it looks more easier now, i am not at the client's site now but whenever i go there, i will have to follow this procedure.

Thanks to you bro.