Solved: Re: Connecting a VLAN'ed network to a dual homed host

jim.billings · ‎03-12-2009

We have successively implemented a routed VLAN setup at our site with one problem. We need to be able to connect to a couple of hosts on a seperate network that is not in our control. These hosts are dual homed with the second NIC on our VLAN 2 Server network. The problem is when we try to connect to these hosts from the other VLAN's. I believe the traffic is getting to the hosts from the other vlans, but is being dropped or routed to the seperate network gateway. How would you recommend connecting to these hosts?

We have these VLAN's setup:

VLAN 1 shutdown

172.17.2.0/24 = VLAN 2 Servers

172.17.3.0/24 = VLAN 3 Workstations

172.17.10.0/24 = VLAN 10 Management

the other network is 192.168.0.0 /16 that is out of our control.

Dual host #1

NIC1 192.168.2.? GW 192.168.2.1

NIC2 172.17.2.5 GW 172.17.2.254

Dual host #2

NIC1 192.168.2.? GW 192.168.2.1

NIC2 172.17.2.6 GW 172.17.2.254

Jon Marshall · ‎03-12-2009

Jim

Either

1) Add routes to the hosts for your vlan subnets but this might not be possible as they are out of your control

OR

2) Use NAT ie.

access-list 101 permit ip 172.17.3.0 0.0.0.255 host 172.17.2.5

access-list 101 permit ip 172.17.3.0 0.0.0.255 host 172.17.2.6

on vlan interfaces

int vlan 3

ip nat inside

int vlan 10

ip nat inside

int vlan 2

ip nat outside

ip nat inside source list 101 interface vlan 2 overload

then any traffic going to the hosts will seem to be coming from the vlan 2 IP address and so the hosts should use their vlan 2 gateway rather than the 192.168.2.1 gateway.

Jon

View solution in original post

Jon Marshall · ‎03-12-2009

Jim

Either

1) Add routes to the hosts for your vlan subnets but this might not be possible as they are out of your control

OR

2) Use NAT ie.

access-list 101 permit ip 172.17.3.0 0.0.0.255 host 172.17.2.5

access-list 101 permit ip 172.17.3.0 0.0.0.255 host 172.17.2.6

on vlan interfaces

int vlan 3

ip nat inside

int vlan 10

ip nat inside

int vlan 2

ip nat outside

ip nat inside source list 101 interface vlan 2 overload

then any traffic going to the hosts will seem to be coming from the vlan 2 IP address and so the hosts should use their vlan 2 gateway rather than the 192.168.2.1 gateway.

Jon

jim.billings · ‎03-12-2009

I will give it a try. Can I add these to the existing ACL's?

Here is what I have on the Main switch:

snip

========================================

interface Vlan1

no ip address

shutdown

!

interface Vlan2

description SERVERS

ip address 172.17.2.254 255.255.255.0

!

interface Vlan3

description WG3

ip address 172.17.3.254 255.255.255.0

ip access-group 110 in

ip helper-address 172.17.2.1

=======================================

snip

=======================================

interface Vlan10

description MANAGEMENT

ip address 172.17.10.254 255.255.255.0

!

=======================================

snip

=======================================

interface Vlan100

description INTERNET

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.100.1

ip http server

!

access-list 110 permit udp any eq bootpc any

access-list 110 permit ip 172.17.3.0 0.0.0.255 172.17.2.0 0.0.0.255

access-list 110 permit ip 172.17.3.0 0.0.0.255 172.17.10.0 0.0.0.255

access-list 110 permit ip 172.17.3.0 0.0.0.255 172.17.100.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.4.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.5.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.6.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.7.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.8.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.12.0 0.0.0.255

access-list 110 permit ip 172.17.3.0 0.0.0.255 any

access-list 111 permit udp any eq bootpc any

access-list 111 permit ip 172.17.4.0 0.0.0.255 172.17.2.0 0.0.0.255

access-list 111 permit ip 172.17.4.0 0.0.0.255 172.17.10.0 0.0.0.255

access-list 111 permit ip 172.17.4.0 0.0.0.255 172.17.100.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.3.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.5.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.6.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.7.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.8.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.12.0 0.0.0.255

access-list 111 permit ip 172.17.4.0 0.0.0.255 any

=======================================

snip

=======================================

jim.billings · ‎03-12-2009

int vlan 3

ip nat inside

this command is not available on our 3560G switch

Jon Marshall · ‎03-13-2009

Jim

Apologies. For some reason i assumed we were talking about a 6500 switch, my fault.

Unfortunately the only switch that supports NAT is the 6500 so you will have to go with option 1.

Jon

jim.billings · ‎03-13-2009

We are working to get them to add the routes to the server on the other network. Thanks, again.

Jim

armingeorgeo · ‎03-16-2009

I have in LAN router cisco and router no cisco,

the problem that i need to shared connect to internet (Backup)

thanks