03-22-2018 09:04 PM - edited 03-08-2019 02:22 PM
I have a pretty simple setup;
8 Static IP Block (5 usable).
vDSL Router/Modem in Bridge Mode
Cisco 891f-K9 running PPPoE and handing out the 4 remaining STATIC IP's (on request by device).
No NAT as I am only running Static IP's and also NO DHCP.
My VLAN1 has my primary (1st IP of 5) as the VLAN IP as well as being the Routers Gateway.
My question is, what is the need for a VLAN if I could just as easily use 5 of the 7 (remaining) Ethernet Ports?
I would assume that I would be able to set up Gigabit8 (WAN) with the Gateway IP and it work fine..
Also I was debating on creating a vlan2 for a 10.0.0.x DHCP server, is that correct? How do I route the 10.0.0.x to a specific IP of the Block of 5?
I seem to have become confused with the DHCP and VLAN when I began setting up my static ips.
Solved! Go to Solution.
03-27-2018 08:24 AM
Matthew
Thank you for the additional information. It makes clear that there is more going on in your network than I realized before. You comment that it is running and doing what you want it to do. So my advice is to keep it the way that it is, at least for now. In the future if you want to add some things you can change things at that point.
Especially if what you want to change is to add another network/subnet then you have a choice about how to proceed. You could add another subnet by replicating what you are doing with 192.168.0.0, which is to have a layer 3 device (like TPLINK) connected to an 891 interface, give that device a Public IP, and have that device manage the network/subnet (DHCP to assign addresses, perform address translation for the network/subnet, etc). The alternative would be to create the new network/subnet on the 891 using the steps I described in an earlier responses (create a new vlan, create a new SVI, assign an address from the new network/subnet to the SVI, and have the 891 manage the new network/subnet (DHCP, address translation, etc).
HTH
Rick
03-23-2018 08:25 AM - edited 03-23-2018 08:26 AM
You dont need the VLAN. As you said, you could configure your WAN port 8 with 1 of the statics and then have a static route pointing to that gateway IP. Don't you have hosts behind that router? If so, I would create a VLAN for hosts and then I would strongly recommend created a DHCP scope. Once you create the scope, you will need NAT and ACLs to route the subnet to specific IP address. So, create a VLAN and DHCP for your inside hosts, and then just a static IP on your WAN port
03-23-2018 09:18 AM
I am a bit confused about the topology here. It is described as
vDSL Router/Modem in Bridge Mode
Cisco 891f-K9 running PPPoE and handing out the 4 remaining STATIC IP's
Does the 891 have the public IP on its WAN interface or on one of the LAN interfaces? Perhaps the output of show ip interface brief would provide some clarification.
HTH
Rick
03-23-2018 11:48 AM
My initial reasoning of this thread was of me questioning if I needed to have a vlan in my situation. If not, where and how does my Router know which ip is the Gateway and what is it’s Block.. I assume my ISP sends out the Gateway IP which my Router “negotiates” as stated in my Dialer1 profile. So I know Dialer 1 is my authentication and IP recipient which makes my Gigabit 8 the physical Connector/Port in order for my Dialer1 to receive the information.... So, for me, what is the vlan in this instance.
A VLan is just a virtual set of “Ports”? Which is a Subnet of the Routers Gateway IP? or any IP on the Routers IP Block?
As I say, I am only dealing with 5 Static IPS that my Gateway offers.. As long as I specify on whichever NIC they on.
I have a x.x.x.178 IP in that subnet I am not using but would like to create a VLan Of 10.0.0.2-10.0.0.5 using .178 as its Gateway, which would use .182 as the Routers Gateway. Am I able to use the .178 and create a VLan assigned to, let’s say, Gigabit Ethernet 7? And out of GE7 I’d plug in a non programmable switch and utilize the 10x.x.x. Subnet. I would definitely need NAT for that subnet I assume?
I know it’s a lot it’s just I can not wrap my head around this VLan thing or if my wants are even doable.
In response to zack, as I said, I have a Block Of 8 Static ips which gives me 5 Usable. The Cisco is 1 of the 8 designated Gateway which is also the Router IP.
I have 3 Devices being used currently leaving 2 statics unused.
Linux 1- email server has a static
Linux 2- Web Site has a static
TPLink home WiFi has a static ip which then hands out LAN dhcp.
With my current configuration, I am not using NAT or DHCP.
I am using ZONEs for firewall configuration.
In response to Richard, here is my configuration;
Interface IP-Address OK? Method Status Protocol
Async3 unassigned YES unset down down
BRI0 unassigned YES NVRAM administratively down down
BRI0:1 unassigned YES unset administratively down down
BRI0:2 unassigned YES unset administratively down down
Dialer1 x.x.x.182 YES IPCP up up
FastEthernet0 unassigned YES NVRAM administratively down down
GigabitEthernet0 unassigned YES unset up up
GigabitEthernet1 unassigned YES unset up up
GigabitEthernet2 unassigned YES unset up up
GigabitEthernet3 unassigned YES unset down down
GigabitEthernet4 unassigned YES unset down down
GigabitEthernet5 unassigned YES unset down down
Here, also, is my running-config;
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoHOM
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.153-3.M10.bin
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN local
aaa authorization exec default local
aaa authorization network EzVPN local
!
aaa session-id common
!
ip domain name hom.org
ip name-server 209.244.0.3
ip name-server 205.171.3.65
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid C891F-K9 sn FGL212791GJ
!
!
username sshuser privilege 15 secret 5 $1$n/X1$fAlQj2XWR1Vha5hIgPAC3.
username CiscoAdmin privilege 15 secret 5 $1$kzwV$LjaRJE9oEKkVzbPrx1kUm.
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all OUT-TO-SELF
match access-group name outsideacl
class-map type inspect match-any SELF-TO-OUT
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect VPN
class type inspect All_Protocols
inspect
class class-default
drop
policy-map type inspect OUT-TO-SELF
class type inspect OUT-TO-SELF
inspect
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect SELF-TO-OUT
class type inspect SELF-TO-OUT
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security Ezvpn
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security Self->Internet source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT
zone-pair security Internet->Self source OUTSIDE destination self
service-policy type inspect OUT-TO-SELF
zone-pair security Ezvpn->INSIDE source Ezvpn destination INSIDE
description LAN to INSIDE traffic
service-policy type inspect VPN
zone-pair security Ezvpn->Self source Ezvpn destination self
service-policy type inspect VPN
zone-pair security Self->Ezvpn source self destination Ezvpn
service-policy type inspect VPN
zone-pair security INSIDE->Ezvpn source INSIDE destination Ezvpn
description LAN to Ezvpn traffic
service-policy type inspect VPN
!
crypto isakmp policy 1
!
crypto isakmp policy 2
encr aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp client configuration address-pool local POOLVPN
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group EzVPN
key C1sc0123#
dns 8.8.8.8
domain hom.org
pool POOLVPN
acl 150
netmask 255.255.255.0
crypto isakmp profile EzVPN-PROFILE
match identity group EzVPN
client authentication list VPN
isakmp authorization list EzVPN
client configuration address respond
client configuration group EzVPN
virtual-template 99
!
crypto ipsec transform-set IPTRANSFORM esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE-IPSEC-EZVPN
set transform-set IPTRANSFORM
set isakmp-profile EzVPN-PROFILE
!
interface Loopback99
ip address 10.252.0.254 255.255.255.0
zone-member security Ezvpn
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description TPLink Wireless
no ip address
zone-member security INSIDE
!
interface GigabitEthernet1
description Email Server
no ip address
zone-member security INSIDE
!
interface GigabitEthernet2
description Web Site
no ip address
zone-member security INSIDE
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Virtual-Template99 type tunnel
ip unnumbered Loopback99
zone-member security Ezvpn
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE-IPSEC-EZVPN
!
interface Vlan1
ip address x.x.x.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username password 0
ppp ipcp route default
no cdp enable
!
ip local pool POOLVPN 10.252.0.1 10.252.0.200 recycle delay 30
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 x.x.x.177
ip ssh version 2
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip host x.x.x.176 any
permit ip host x.x.x.177 any
permit ip host x.x.x.178 any
permit ip host x.x.x.179 any
permit ip host x.x.x.180 any
permit ip host x.x.x.181 any
permit ip host x.x.x.182 any
permit tcp host x.x.x.180 any eq smtp
permit tcp host x.x.x.180 any eq 993
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any host x.x.x.176
permit icmp any host x.x.x.177
permit icmp any host x.x.x.178
permit icmp any host x.x.x.179
permit icmp any host x.x.x.180
permit icmp any host x.x.x.181
permit icmp any host x.x.x.182
permit tcp any host x.x.x.180 eq 993
permit tcp any host x.x.x.180 eq smtp
permit tcp any host x.x.x.180 eq 66
ip access-list extended outsideacl
permit icmp any host x.x.x.182 echo-reply
permit icmp any host x.x.x.182 echo
permit icmp any host x.x.x.182 traceroute
permit icmp any host x.x.x.182 time-exceeded
permit icmp any host x.x.x.182 unreachable
permit tcp any host x.x.x.182 eq 22
permit udp any host x.x.x.182 eq isakmp
permit udp any host x.x.x.182 eq non500-isakmp
permit esp any host x.x.x.182
deny ip any host x.x.x.182
!
dialer-list 1 protocol ip permit
no cdp run
!
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 10.252.0.0 0.0.0.255 any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
03-23-2018 01:59 PM - edited 03-23-2018 02:00 PM
I dont get why you would create vlan 1 with the public IP addresses along with zone security of INSIDE, unless you're planning to assign these to the hosts which also makes no sense. You just got extra public IPs if you ever want to NAT something out, but thats all. Dont need to use these.
03-23-2018 02:23 PM
I have absolutely no reasonable answer to give you on that except now that you point it out and I look at it a different perspective, I see the error of my ways with that.
03-23-2018 02:43 PM
Thank you for the explanation and the additional outputs. I am surprised that the output of show ip interface brief does not show interfaces Gig8 or vlan 1. I assume that was an issue with cut and paste. Seeing the config was helpful.
I do have a question about the outputs. The output of show ip interface brief shows that dialer 1 is x.x.x.182 and the config shows that vlan 1 is x.x.x.182. It is not clear whether both addresses are really in the same network (same address on two interfaces?) or whether it is just an amazing coincidence.
Based on what we know so far I offer this explanation which I hope will be helpful. The interfaces on your router Gig0 through Gig7 default to operating as switch ports and by default will be in vlan 1. So you have vlan 1 on your router and currently all of the switch ports belong in that vlan. You have configured a layer 3 SVI for vlan 1 and put one of your public IP addresses as the address for vlan 1. You have connected some devices to ports in vlan 1 and hard coded public addresses for them. They use the IP you configured for interface vlan 1 as their gateway. You can connect other devices to interfaces in vlan 1 and assign them other available IP addresses from your public block. Since these are public addresses there is no need for you to do address translation for them.
So you currently have a single vlan on the router. You could create a second vlan if you want to. The process might go something like this:
- create vlan 2 (or whatever vlan number you might want to use) on the router.
- assign some interface (perhaps Gig7) to this vlan. Note that this interface will act as a switch port and will not have an IP address assigned to it.
- configure a layer 3 SVI for the vlan (interface vlan 2)
- configure an IP address and mask for the SVI
- connect your unmanaged switch to this port (Gig7)
- connect devices to the unmanaged switch. Assign IP addresses for these devices from the subnet used for the address of vlan 2. These devices will use the address of vlan 2 as their default gateway.
- configure address translation for the subnet used for vlan 2.
HTH
Rick
03-23-2018 05:25 PM
I think that the reasoning behind my VLAN1 in this instance was due to my novice attempt in the beginning and I may have crossed over configurations between a DHCP setup and my STATIC IP scenario... I feel that my current config does not need a VLAN.
I see what you mean about the "show ip interface brief" and doing it again, it shows the same result.
What is funny is that there was no configuration for Dialer 1 in regards to ip aside from "negotiated" so I assume that it grabbed what it was supposed to, the .182.
I manually set up vlan1 with the .182 address but I feel I was following a guide that may not have had static ips to consider.
You mention "Gig0 through Gig7 default to operating as switch ports and by default will be in vlan 1". Is that to say whatever plugs into any of those ports will #1 have the .182 IP or # any of the IP's under that subnet? Would that analogy then actually suggest I did indeed need a vlan1?
As far as assigning a Layer 3 SVI for the Vlan1, the IP for the VLan1 is actually the Routers Gateway, which is also the assigned Gateway from my ISP for the IP Block (.177-.181). Just seems redundant that I would have the Dialer 1 negotiate an IP and then set a VLan for that same IP.
You mention "They use the IP you configured for interface vlan 1 as their gateway. You can connect other devices to interfaces in vlan 1 and assign them other available IP addresses from your public block. Since these are public addresses there is no need for you to do address translation for them." which sort of confirms to me that in order to use the .177 - .181 I do need, essentially, a VLan with the Routers Gateway IP (The Gateway IP for my Block) in order to hand them out in general. Therefore, Gig0-7 on VLan1 (the physical ports) can use the 5 Static IP's.
The next step you mention is creating a VLan 2 and assign Gig7 the VLan 2, which would make VLan 1 Gig0-6?, and the steps past that sort of confused me. From what I read, create vlna 2 with, lets say, 10.0.0.1 - 10.0.0.5, to that vlan 2 which is assigned to Gig7. Being I can not assign an IP to Gig7 I need to assign it to VLan2 in which the subnet (10.x.x.x.) will use that IP of VLan 2 as its Gateway to the Net?
I hope I am making sense..
Matthew
03-24-2018 10:18 AM
Matthew
There are multiple ways that this network could be designed. I assumed that some thought had been given to alternatives and that it was intentional that several devices had been connected to ports on the router in vlan 1 and were using public addresses that had been assigned to you. Seeing that those devices included your mail server and a web server it seemed appropriate that they would have IP addresses in a range that was separate from your user devices. And following that thought it seemed reasonable that you might want to create the second vlan (vlan 2 or whatever) and use it for your users. So that is why I explained vlan 2. If that is not what you really intended then clarify how you want the network set up and we will help you work toward that.
HTH
Rick
03-24-2018 11:01 AM
Well this is a complicated answer so I will start in the beginning..
I had the the 8 Static IP’s. I had my vDSL2 Router in Bridge mode connected to my TPLINK Wireless Router and had DHCP (192.168.x.x) for my Home PC/ TV’s, iPad etc but also had my Email and Web Servers plugged in obtaining their static ips manually.
I noticed on my TPLink it would keep blocking internet due to incoming DDOS attacks, so I had to keep reducing my Security Level. I blame it on the exposure of the email server and my Domains. This is what sparked “I want better” and everyone can associate security with Cisco so I did some research and came to find my 891f.
What I currently have is what came out of bits and prices of what I want. What I want (in my head) is;
I want my Cisco 891f to act as PPPoE and Gateway for my setup. I want to be able to plug in any device to Gig0-Gig6 and have the end device manually config it’s own Static IP (.177, .179-.181) using the Gateway (.182) for access. I want .178 to be somehow associated with Gig7 which I will connect a Nonprogram switch for a subnet of 10.0.0.1-10.0.0.5. ( or whatever, hopefully on a dhcp config where the plugged in device will just grabs what it wants).
I want my VPN Server to allow me remotely to connect to my .177 IP which then allows me on its subnet of 192.168.x.x for me to access documents and my NAS (which it does).
Where I came up with my current vlan was just the outcome of reading various howtos and manuals etc... There was no purpose/intent for why I did it, regardless if it was ending up to be right or wrong.
I have my INSIDE and OUTSIDE Zones configured the way I want them, but am confused as to why my VPN Zone (ip access-list extended outsideacl) is overriding my OUTSIDE-TO-INSIDE Zone in which allows me to connect remotely via http to my Router (irrelevant to what we are doing here, just mentioning). I see that it is set up with “deny ip any host .182’ So when I disable that I have to permit it in both OUTSIDE-TO-INSIDE as well as extended outsideacl.. Just odd it has to be in both.
As far as my Zoning goes, I feel I am using a primitive method by permitting on an IP basis opposed to the
formats I see like matching protocols etc, which at the time confused me.
I hope this clears some for this mess up?
Matthew
03-26-2018 07:34 AM
Matthew
There are several points I would like to address.
You have some questions about how your zones are working (or not working as you want). I would prefer to defer these questions until we have resolved questions about your router and its vlans.
The architecture of your beginning config implemented a 2 layer approach (Inside and Outside). As it is evolving I believe that it will be at least a 3 layer approach, Inside, Outside, and Middle (which many would call DMZ). Associated with this is a question of how to use Public IP addressing and Private IP addressing. Your Outside would include your router connection to the ISP (I am not sure if you want anything else outside but it could be possible) and this would use Public addressing. It is a bit ambiguous at this point whether that is one address from your assigned block or whether it might be a separate address. Your Inside would include the unmanaged switch, your wireless, and any user devices that use a wired connection and these would use private IP addressing. Your Middle/DMZ would include your web server, your Email server, and anything else that might be accessible from the Internet and that you want to have separate from your user devices. This might use Public IP addressing or might use Private IP addressing (somewhat dependent on whether the Outside interface uses a separate address. I would probably advise using Private addressing for these devices with static address translation to make them accessible from the Internet. You would need to configure address translation for all devices that use Private addressing.
You have mentioned several times wanting to associate the 178 address with Gig7 and to connect a 10.0.0.0 subnet to it. I have tried to steer you away from that and you keep coming back to that. So let me be blunt: that will not work. If you want 10.0.0.0 subnet associated with Gig7 then the IP address associated with Gig 7 must be in that subnet and not be the 178 address. The router provides routing between the 10.0.0.0 subnet and the other networks and does not need the 178 address associated with that interface.
At one point you indicate that the 177 address would be available for use in your address block, but then you also describe the 177 address as associated with some VPN access to your NAS. Can you clarify this?
You have talked about using two Private address blocks, 10.0.0.0 and 192.168.x.x. Can your clarify whether you really need two blocks of IP addresses.
HTH
Rick
03-26-2018 10:05 AM
Good Morning Rick.
Alright, I feel I am making this far more complicated and chaotic as we go and I apologize.
As far as the ZONEING goes, you are right, different topic for a different time.. With that said, they are working as I want them I was only confused as to why one rule set overrules another.. Not a biggie just now. Zones are working the way I like them. Unless I am ignorant and they are a mess ;).
I wholeheartedly agre that this began as something small and I kept expanding and now I sort of have different ideas and wants as well as a meshing of configurations. My main quest here is “is it working to best it can?”. Honestly, everything I have works just the way I want it to I just want it to be a more tight nit configuration and possibly (most likely) fix my loose ends. Mainly as you said, this has gone from a Layer 2 to a Layer 3 in many respects.
The reason I did not go into a Layer 3 scenario or using a DMZ was this;
In my head.. I had 5 Usable IP’s. The Router was the Gateway using .182 and I had 5 to use.
.177 - My TPLink Wireless Router for Home (NAS, TV,Home usage) handing out 192.168.x.x
.178 - What I wanted for a VLan/Subnet Of it’s own for future use, no specific reason now)
.179 - Unused for later Linux Server. Domain registered to it.
.180 - Linux Email. No port forwarding or any other purpose. Domain registered to it.
.181 - Linux Web Server. No port forwarding or any other purpose. Domain registered to it.
.182 - 891f Static IP/ Gateway
I never felt it necessary to have any of the statics hide behind an internal network due to their sole purposes were for the very reason to be accessible to the net; email, Web Server. Being that they are on same subnet in itself, I could linke them to each other automatically, as I do. But my theory may be wrong. I just didn’t think to have my Linux boxes have any other IP than the ones they are using, as that’s why they are using them.
It was also easier for my to have my ZONE structure as it was simple INSIDE and OUTSIDE as well as perrmit per port per ip.
I understand and I read ya on the 10.0.0.0. I simply meant an10.0.x.x in the same format as the 192.168.x.x. I just wanted my 192.168.x.x to be my HOME “fun” stuff and possibly have my 10.x.x.x be fore Network Management etc, again, just an idea. Was never any purpose. Doesn’t need to be pursued any further.
As far as the .177 being part of the Block as well as the NAS. It is an indirect association. The .177 has one purpose, my TPLink as a Router for my Home LAN. Where the NAS comes in is because whatever I download to it is downloaded behind a VPN (ExpressVPN) and being that Cisco does not support OpenVPN or the specific protocols I’d need to configure it as a Client, I need my NAS to be on the LAN (192.168.x.x). So I download or do whatever I do to it through my Windows PC and save/redirect to the NAS. What I have running is a VPN Server which then allows me to remotely connect to Home (NAS) from anywhere so I have a route setup from my Cisco .182 to my .177 then the the LAN 192.168.x.x.
I hope this adds a little clarity to my scenario and not complicate it futrther.. I also hope I did not forget to respond to any of your writings.
Matthew
03-27-2018 08:24 AM
Matthew
Thank you for the additional information. It makes clear that there is more going on in your network than I realized before. You comment that it is running and doing what you want it to do. So my advice is to keep it the way that it is, at least for now. In the future if you want to add some things you can change things at that point.
Especially if what you want to change is to add another network/subnet then you have a choice about how to proceed. You could add another subnet by replicating what you are doing with 192.168.0.0, which is to have a layer 3 device (like TPLINK) connected to an 891 interface, give that device a Public IP, and have that device manage the network/subnet (DHCP to assign addresses, perform address translation for the network/subnet, etc). The alternative would be to create the new network/subnet on the 891 using the steps I described in an earlier responses (create a new vlan, create a new SVI, assign an address from the new network/subnet to the SVI, and have the 891 manage the new network/subnet (DHCP, address translation, etc).
HTH
Rick
03-27-2018 10:49 AM
Good morning Rick
I do hope that this subject was not a let down considering there was nothing to necessarily fix.. I did gain a new understanding and perspective about Subnetting and VLan so to me it was all worth it.
I also hope that my comment of “everything works the way I want it” did not come across as “my system is perfect” and I only meant that it is indeed working but to what end? Not knowing if what I have is accurate or even efficient.
As you say if it all works then leave it as is until something changes.
Thank you for your time and patience.
Matthew
03-27-2018 11:23 AM
Matthew
You are welcome. I am glad that you found the discussion helpful and that you now have better understanding of subnetting and vlan. I did not take your description as suggesting that your network was perfect but only that it currently does meet your needs. Some times we find things that need to be fixed and sometimes we do not. It can be a beneficial discussion in either case. There is always room for improvement and one of the important questions is whether the benefit of making changes is worth the effort (and potential disruption) of making the changes. In this case it does not seem worth it.
These forums are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the forums and to get to the point where you are comfortable answering questions as well as asking them.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide