Solved: ISR 1921 VLAN routing

dennesmeeusen · ‎07-25-2012

Hi,

I have an ISR 1921 SEC as a router for my internet connetion (/28 subnet).

On the inside is an hp Procurve 1900 switch which supports basic routing (static routes).

Suppose i want about 10 VLANs on my LAN, all with different subnets (eg. 10.0.1.0/24, 10.0.2.0/24) and i want all of these VLANs to connect to the internet (NAT) but not to each other.

What would be best-practice to achieve this?

1. A router-on-a-stick solution with one trunked (tagged in HP speak) port to the LAN interface of the 1921 router?

2. Make the default route on all the VLANs of the Procurve point to the ip address of the default VLAN and connect that to the LAN interface of the router, effectively letting the procurve do the routing? Is this even a feasible option?

In the case of option 2, how will i route the traffic back to the right VLAN/subnet? do i need to create static routes for all of them? In the router and/or switch?

And one other question. Suppose i want to start with one public ip NATed to the default VLAN and one other public IP NATed to alle the other VLAN's. Is that possible? And can i change this at a later time to have one or more specific other VLANs NATed to their own public ip?

Thanks,

Dennes

cadet alain · ‎07-26-2012

Hi,

yes just one static route to edge router is enough. I would do nat overload and create an ACL permitting all subnets

let's suppose the WAN interface on 1921 is f0/1 and port connected to switch is f0/0:

int f0/0

ip nat in

int f0/1

ip nat out

access-list 99 permit 10.0.10.0 0.0.0.255

access-list 99 permit 10.0.20.0 0.0.0.255

access-list 99 permit 10.0.30.0 0.0.0.255

access-list 99 permit 10.0.40.0 0.0.0.255

access-list 99 permit 192.168.1.0 0.0.0.255

ip nat inside source list 99 interface f0/1

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎07-25-2012

Hi,

in either case you'll have to use ACL to restrict inter vlan routing.

the nat process will be done on the router so you can deny some subnets from being natted with the correct ACL statement applied to the NAT process.

Regards.

Alain.

Don't forget to rate helpful posts.

dennesmeeusen · ‎07-25-2012

OK, thanks, but what would be the preferred solution? And will option 2 even work as i described it?

Dennes

cadet alain · ‎07-25-2012

Hi,

I would use option 2 if this switch is a L3 switch and put the link to the router as a routed port and configure a default static route pointing to the router IP, the clients would have their respective interface vlan IP as default gateway and then I would nat on the edge router.

Regards.

Alain.

Don't forget to rate helpful posts.

dennesmeeusen · ‎07-26-2012

OK, so it should be something like this?:

VLAN10-10.0.10.0/24----|

VLAN20-10.0.20.0/24----|-----Default VLAN1/192.168.1.0/24---------ISR1921(192.168.1.1)-----Internet

VLAN30-10.0.30.0/24----| IP 192.168.1.1

VLAN40-10.0.40.0/24----| GW: 192.168.1.254 / Def. route: 0.0.0.0 0.000.0 > 192.168.1.254

So i need just one static (default) route configured in the switch?

The switch is a Layer3 "lite" switch which allows the creation of up to 32 static routes

And for the NAT pool(s)? I assume i must create NAT for every possible subnet?

Thanks,

Dennes

cadet alain · ‎07-26-2012

Hi,

yes just one static route to edge router is enough. I would do nat overload and create an ACL permitting all subnets

let's suppose the WAN interface on 1921 is f0/1 and port connected to switch is f0/0:

int f0/0

ip nat in

int f0/1

ip nat out

access-list 99 permit 10.0.10.0 0.0.0.255

access-list 99 permit 10.0.20.0 0.0.0.255

access-list 99 permit 10.0.30.0 0.0.0.255

access-list 99 permit 10.0.40.0 0.0.0.255

access-list 99 permit 192.168.1.0 0.0.0.255

ip nat inside source list 99 interface f0/1

Regards.

Alain.

Don't forget to rate helpful posts.

dennesmeeusen · ‎07-26-2012

OK, will try that. Thanks!

Just to be sure.. The command should be "ip nat inside source list 99 interface f0/1 overload" right?

Dennes

cadet alain · ‎07-26-2012

Hi,

no need to add the keyword overload as IOS is nice and it will automatically add it to the running-config for you.

Regards.

Alain.

Don't forget to rate helpful posts.