Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
6
Replies

ISR 4431 and 2960x config question

Go to solution
mr1drful
Level 1
Level 1

‎02-15-2022 08:02 AM

Greetings,

 

I was assigned to take over a project with little to no knowledge transfer. I have a ISR 4431 and a 2960x  - a layer 2 only device. Neither device have been configured. The 2960x has the ISP is connected to port 52 with GI1/0/1 connected to GI0/0/0 on the ISR 4431. The only other info I got from the departing employee was to use vlan1.

 

I checked the O'Reilly's Cisco Cookbook with no success. After searching for several hours it is clear that I am not asking the questions, and need some help getting useful information from the Cisco knowledge base and internet in general. Can someone point me in the right direction?

 

As an FYI, the hard configuration is not my choice.

 

Many thanks in advance.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Martin L
VIP
VIP

‎02-15-2022 04:11 PM

Normally ISP connects to a router then end-users to router or in case you need more ports for more users, L2 switch to router then PCs to switch.  as mentioned above, none of switches can do NAT'ing which is needed for end-users to share 1 public IP among many.  

If your ISP-Switch-router setup is not remote office connecting to HQ via ISP or Internet, my guess is Internet traffic gets to router via switch and that your router still doing NAT for all end-users and router-on-a-stick if needed. If end-user needs to reach other end-user, traffic goes just via switch; but in case end-user needs to reach the Internet, traffic goes to router first , then via your l2 switch to ISP.

I always thought that such setup is only a tricky exam question but it may not be after all. 

 

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

0 Helpful

Go to solution
Squozen_EU
Level 1
Level 1

‎02-16-2022 06:42 AM - edited ‎02-16-2022 06:44 AM

I've done this before when connecting an HA pair of firewalls to a WAN link. The VLAN you use is not important. All you need to do is ensure that you tag the 2960X ports going to the ISP and the 4431 with the same VLAN ID and the traffic will pass right through as if you had the ISP device connected directly to the 4431. Then you ensure that any LAN traffic uses a different VLAN to the WAN VLAN on the 2960X.

 

If you don't have a backup 4431 or another device that needs to see the WAN, I'd just connect the ISP directly to the 4431 - it makes things less confusing for the next person that comes along.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎02-15-2022 08:27 AM

Hi,

What are you trying to accomplish? Do the users connect to the 2960x switch?

Do the users need access to Internet? Do you have public IPs from the provider or you have your own?

If VoIP, Is the switch POE?

Is this a brand new install or existing?

HTH

 

0 Helpful

Go to solution
mr1drful
Level 1
Level 1
In response to Reza Sharifi

‎02-15-2022 09:23 AM

Sorry for the ambiguity.

  • Users connect to internet through the 2960x,
  • The ISP also connects with a cat6 gigE to the 2960x via gi1/0/52,
  • The router connects to the 2960x as well via gi1/0/1 to gi0/0/0,
  • The ISP provides a /29 IPv4 network,
  • No VoIP,
  • No POE,
  • Brand new install.
0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mr1drful

‎02-15-2022 09:32 AM

The 2960x is not capable of doing NAT. So, if you need NAT, you would have to connect the router to the ISP and then the switch to the router and users to the switch. Have a look at this link on how to configure NAT.

 

https://www.networkstraining.com/configuring-nat-on-cisco-routers/

 

HTH

0 Helpful

Go to solution
Martin L
VIP
VIP

‎02-15-2022 04:11 PM

Normally ISP connects to a router then end-users to router or in case you need more ports for more users, L2 switch to router then PCs to switch.  as mentioned above, none of switches can do NAT'ing which is needed for end-users to share 1 public IP among many.  

If your ISP-Switch-router setup is not remote office connecting to HQ via ISP or Internet, my guess is Internet traffic gets to router via switch and that your router still doing NAT for all end-users and router-on-a-stick if needed. If end-user needs to reach other end-user, traffic goes just via switch; but in case end-user needs to reach the Internet, traffic goes to router first , then via your l2 switch to ISP.

I always thought that such setup is only a tricky exam question but it may not be after all. 

 

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful

Go to solution
mr1drful
Level 1
Level 1

‎02-16-2022 04:03 AM

Thank you! Your explanation has given me the mental toe hold necessary to move forward.

0 Helpful

Go to solution
Squozen_EU
Level 1
Level 1

‎02-16-2022 06:42 AM - edited ‎02-16-2022 06:44 AM

I've done this before when connecting an HA pair of firewalls to a WAN link. The VLAN you use is not important. All you need to do is ensure that you tag the 2960X ports going to the ISP and the 4431 with the same VLAN ID and the traffic will pass right through as if you had the ISP device connected directly to the 4431. Then you ensure that any LAN traffic uses a different VLAN to the WAN VLAN on the 2960X.

 

If you don't have a backup 4431 or another device that needs to see the WAN, I'd just connect the ISP directly to the 4431 - it makes things less confusing for the next person that comes along.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card