Solved: Thanks to the reply.i solve

Jonard Umang · ‎12-18-2014

Hi good day,

i need assistance in how to do this attachment.

Model of core switch is 3560

im thinking how can i route this 3 vlans in isp router 10.10.10.1 via the core switch.

Thank you for help.

Jason Vanlandingham · ‎12-18-2014

Here's one way to do it. Configure this on "core"

ip routing
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
interface fa0/24
switchport access vlan 1
no shut
!
interface vlan10
ip address 10.10.20.1 255.255.255.0
no shut
!
interface vlan20
ip address 10.10.30.1 255.255.255.0
no shut
!

The interfaces that go out to the other switches (assuming layer 2) should be configured as trunks, but could be access if you only have one VLAN on each switch.

Another way to do it would be to make your interfaces out to the switches layer 3, and give them the IP addresses of the gateways for the other VLANs.

Either way, as long as ip routing is enabled on the core L3 switch, it will see everything as a connected subnet, so you shouldn't need a routing protocol.

One other BIG issue: Most likely, NAT/PAT was configured on the ISP router. It is quite likely that it was configured to only allow the addresses of VLAN 1. If that's the case, only VLAN 1 will be able to get out to the ISP. In that case, you would have to either modify the ACL on the router or make a big change to your logical topology to make the router-core connection layer 3 and do NAT/PAT on the core.

View solution in original post

michael o'nan · ‎12-19-2014

You have two options:

1. Put a router in place that you can control

2. Request the ISP add the other subnets to the NAT Allow ACL

I would choose option 1 as I believe the customer should always have control over the private side. They are probably charging a good bit of money for that "managed service" as well.

View solution in original post

michael o'nan · ‎12-18-2014

1. Create the VLANs and SVI

2. enable ip routing

3. enter default route to the ISP

For example:

vlan 10

interface vlan 10

ip address 10.10.20.1 255.255.255.0

ip routing

ip route 0.0.0.0 0.0.0.0 10.10.10.1

Jason Vanlandingham · ‎12-18-2014

Here's one way to do it. Configure this on "core"

ip routing
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
interface fa0/24
switchport access vlan 1
no shut
!
interface vlan10
ip address 10.10.20.1 255.255.255.0
no shut
!
interface vlan20
ip address 10.10.30.1 255.255.255.0
no shut
!

The interfaces that go out to the other switches (assuming layer 2) should be configured as trunks, but could be access if you only have one VLAN on each switch.

Another way to do it would be to make your interfaces out to the switches layer 3, and give them the IP addresses of the gateways for the other VLANs.

Either way, as long as ip routing is enabled on the core L3 switch, it will see everything as a connected subnet, so you shouldn't need a routing protocol.

One other BIG issue: Most likely, NAT/PAT was configured on the ISP router. It is quite likely that it was configured to only allow the addresses of VLAN 1. If that's the case, only VLAN 1 will be able to get out to the ISP. In that case, you would have to either modify the ACL on the router or make a big change to your logical topology to make the router-core connection layer 3 and do NAT/PAT on the core.

Jonard Umang · ‎12-18-2014

Thanks to the reply.

i solve it :)

i ask ISP to change the IP form 10.10.10.1 to 10.10.11.2 to prevent me from changing lots of my network topology.

Then ill issue in core (no switchport to interface connecting to router and put 10.10.11.2)

- then configure intervlans

- ACL and NAT out of that port.

Thanks for the help :)

michael o'nan · ‎12-18-2014

That would be a good idea but 3560 doesn't support NAT.

Jonard Umang · ‎12-19-2014

hi sir,

Yes you are correct... i dindt tried it yet in our network i just tried it in packetracer and it works in packet tracer. and as of now i read cisco forums that yes 3560 doesnt support NAT.

Do you have any idea what else to do? to route all to 10.10.11.1 which is the isp router.

Core Config

----------------------------------------------------------------------------------------------

ip routing

!
interface FastEthernet0/1
switchport mode access
!

interface FastEthernet0/10
switchport access vlan 10
switchport mode access

interface FastEthernet0/20
switchport access vlan 20
switchport mode access

interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk

interface Vlan1
ip address 10.10.10.1 255.255.255.0
!
interface Vlan10
ip address 10.10.20.1 255.255.255.0
!
interface Vlan20
ip address 10.10.30.1 255.255.255.0
!
interface Vlan100
ip address 10.10.11.251 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.11.1

please check whats wrong why i cant route to 10.10.11.1

thanks,

Jonard

michael o'nan · ‎12-19-2014

You have two options:

1. Put a router in place that you can control

2. Request the ISP add the other subnets to the NAT Allow ACL

I would choose option 1 as I believe the customer should always have control over the private side. They are probably charging a good bit of money for that "managed service" as well.

Jonard Umang · ‎12-19-2014

Sir michael,

Yeah i think thats the better option. last question: if we put router we wil just do this?

1. Subinterfaces for each vlans

2. ACL and NAT

3. Policy based routing

thanks

michael o'nan · ‎12-19-2014

You can do it multiple ways but I would suggest using dynamic routing. You could either make the switch interface routed or just create a VLAN to share the same subnet as router private LAN. Enable dynamic routing on the switch to advertise the SVI to the router. Here's a quick example that isn't exactly to your current application:

Router:

interface g0/0

ip address 10.10.10.1 255.255.255.0

ip nat inside

!

interface g0/1

ip nat outside

!

router eigrp 1

no auto-summary

network 10.10.10.0

!

ip access-list standard NAT
permit 10.10.10.0 0.0.0.255

permit 10.10.20.0 0.0.0.255

permit 10.10.30.0 0.0.0.255

!

ip nat inside source list NAT interface GigabitEthernet0/1 overload

!

Switch:

ip routing

!

interface g1/0/1

no switchport

ip address 10.10.10.2 255.255.255.0

!

router eigrp 1

no auto-summary

network 10.10.10.0

network 10.10.20.0

network 10.10.30.0

!

ip route 0.0.0.0 0.0.0.0 10.10.10.1

No policy based routing or subinterfaces needed. You want the core switch to make all the interVLAN routing decisions.

Jonard Umang · ‎12-19-2014

thanks for the quick response, nice Eigrp this is cisco proprietary protocal right? can you give me model so that ill recommend to my IT team.
we have:

1. CCTV (internal viewing only - but sometimes need to check via internet)

2. Internet

3. Wireless APS and controllers

4. Servers (like exchage,AD,ERP lets say 5 servers)

5. IPT avaya

our current conenction is DSL

Thank you

michael o'nan · ‎12-19-2014

Yes EIGRP is Cisco proprietary. You could use OSPF just as easily for this scenario:

router ospf 1

log-adjacency-changes

network 10.10.10.0 0.0.0.255 area 0

and the same on the switch for all the subnets you want the router to know about.

You can do port forwarding on the router to access the CCTV and Exchange from the web. Depending on the size of the company and the security policies it may be a good idea to put a firewall in place of the router.

Jonard Umang · ‎12-19-2014

hi michael o'nan

thank you very much for big help.

Jonard

Help Routing Vlan to an IP