Solved: Multiple VLANs with different internet access

Miguel Angel Alvarez Rodriguez · ‎02-18-2013

We need to give differentiated internet access to three VLANs. Each one of this VLANs is used for totally different purposes, so traffic between the VLANs is not allowed. Each VLAN has its own internet access provided for the data center using one fast ethernet connection.

We're thinking about using cisco 2911 for Internet access, VPN and firewall. I suppose that best option for VLANs is using Catalyst 2960S or a swithing module for the 2911, but these two options are too expensive for us. We're thinking about using swtiches from the SB series (maybe a SG-200).

We're totaly newbies to VLANs so we have many doubts. This are our questions:

1) The 2911 has three on board ethernet interfaces; we have three VLANs and three internet connections, so we need to use HWICs to get three more ethernet ports. That's right?

2) We need three HWICs or there is some kind of HWIC with more that one ethernet interface?

3) The routing solution is to assign static routes in the 2911 for each interface connected to a VLAN through a 2911's interface connected to internet?

4) Simply connecting three different router interfaces with three different switch ports, each one of them assigned to one of the three different VLAN, are we going to get internet access for all devices in those VLANs? or do we need to configure something else like trunking, VSIs...?

5) Can we achieve our goals using the SG-200 switch?

6) We have the chance to use older routers, is this possible? We're specially interested in knowing if a 1841 or a 2801 router could be used for this setup.

7) This is not a production environment so we can use refurbished equipment. If anyone has other hardware recommendations for the switching part help would be very apreciated.

Peter Paluch · ‎02-18-2013

Hello Miguel,

1) The 2911 has three on board ethernet interfaces; we have three VLANs  and three internet connections, so we need to use HWICs to get three  more ethernet ports. That's right?

Theoretically you could use additional VLANs even to substitute for WAN connections, plus the switch. You have three internal VLANs, plus you would have additional three VLANs, each for a separate internet connection. These VLANs would then be split at the switch. However, I admit that this solution would be quite clumsy albeit working. It depends on what additional money you can spend on buying an extension module for your 2911 router.

2) We need three HWICs or there is some kind of HWIC with more that one ethernet interface?

This is the list of available compatible modules:

http://www.cisco.com/en/US/products/ps10537/products_relevant_interfaces_and_modules.html

HWICs with routed ports are usually very expensive - buying three router HWIC port cards would in my opinion be similarly expensive to buying a switching module. If you decide to buy additional ports I would recommend purchasing a switching extension card instead - check out the EHWIC modules, not the SM ones - while the SM are more feature-rich, they are again more expensive as far as I know.

3) The routing solution is to assign static routes in the 2911 for each  interface connected to a VLAN through a 2911's interface connected to  internet?

No, this would not be sufficient because classic IP routing makes its decisions based exclusively on the destination, not on the source. What you want to do, though, is to take both source and destination into account when routing your packets. You would either need to use the Policy-Based Routing (PBR), or implement VRFs (separate routing tables) for each internal VLAN.

4) Simply connecting three different router interfaces with three  different switch ports, each one of them assigned to one of the three  different VLAN, are we going to get internet access for all devices in  those VLANs? or do we need to configure something else like trunking,  VSIs...?

If you connect individual router ports to individual switchports on a switch, with these switchports being in separate and distinct VLANs, the devices in these VLANs will be able to talk to the router, and if the routing has been set up properly, also access the internet. No trunks will be necessary here.

However, you could use trunking to actually save the ports on your router. If the aggregate traffic of all VLANs towards internet does not exceed 1 Gbps, I would recommend configuring subinterfaces on the router and using a single physical link to the switch, configured as a trunk. Using three physical ports on a router to access three VLANs on the switch is cumbersome and not really helpful.

5) Can we achieve our goals using the SG-200 switch?

I do not know the SG-200 but as long as it supports VLANs and 802.1Q trunking/VLAN tagging, it will work.

6) We have the chance to use older routers, is this possible? We're  specially interested in knowing if a 1841 or a 2801 router could be used  for this setup.

Yes, this would be possible with these routers as well. Note that the throughput of these routers is lower than the throughput of 2911. What is the expected aggregated flow size to/from the internet?

Best regards,

Peter

View solution in original post

Peter Paluch · ‎02-18-2013

Hello Miguel,

1) The 2911 has three on board ethernet interfaces; we have three VLANs  and three internet connections, so we need to use HWICs to get three  more ethernet ports. That's right?

Theoretically you could use additional VLANs even to substitute for WAN connections, plus the switch. You have three internal VLANs, plus you would have additional three VLANs, each for a separate internet connection. These VLANs would then be split at the switch. However, I admit that this solution would be quite clumsy albeit working. It depends on what additional money you can spend on buying an extension module for your 2911 router.

2) We need three HWICs or there is some kind of HWIC with more that one ethernet interface?

This is the list of available compatible modules:

http://www.cisco.com/en/US/products/ps10537/products_relevant_interfaces_and_modules.html

HWICs with routed ports are usually very expensive - buying three router HWIC port cards would in my opinion be similarly expensive to buying a switching module. If you decide to buy additional ports I would recommend purchasing a switching extension card instead - check out the EHWIC modules, not the SM ones - while the SM are more feature-rich, they are again more expensive as far as I know.

3) The routing solution is to assign static routes in the 2911 for each  interface connected to a VLAN through a 2911's interface connected to  internet?

No, this would not be sufficient because classic IP routing makes its decisions based exclusively on the destination, not on the source. What you want to do, though, is to take both source and destination into account when routing your packets. You would either need to use the Policy-Based Routing (PBR), or implement VRFs (separate routing tables) for each internal VLAN.

4) Simply connecting three different router interfaces with three  different switch ports, each one of them assigned to one of the three  different VLAN, are we going to get internet access for all devices in  those VLANs? or do we need to configure something else like trunking,  VSIs...?

If you connect individual router ports to individual switchports on a switch, with these switchports being in separate and distinct VLANs, the devices in these VLANs will be able to talk to the router, and if the routing has been set up properly, also access the internet. No trunks will be necessary here.

However, you could use trunking to actually save the ports on your router. If the aggregate traffic of all VLANs towards internet does not exceed 1 Gbps, I would recommend configuring subinterfaces on the router and using a single physical link to the switch, configured as a trunk. Using three physical ports on a router to access three VLANs on the switch is cumbersome and not really helpful.

5) Can we achieve our goals using the SG-200 switch?

I do not know the SG-200 but as long as it supports VLANs and 802.1Q trunking/VLAN tagging, it will work.

6) We have the chance to use older routers, is this possible? We're  specially interested in knowing if a 1841 or a 2801 router could be used  for this setup.

Yes, this would be possible with these routers as well. Note that the throughput of these routers is lower than the throughput of 2911. What is the expected aggregated flow size to/from the internet?

Best regards,

Peter

Miguel Angel Alvarez Rodriguez · ‎02-18-2013

Thanks Peter.

If it's possible to use trunk for connecting the three VLANs with the router I think is a perfect solution for us. We can use even routers with only two onboard FE ports.

One question: all ISR routers from first generation (1841, 2801, 2811, 2821, 2851...) are PBR and VRF capable?

The expected aggregated traffic is 7 Mbps (1 MBps for VLAN1 + 4 Mbps for VLAN2 + 2 Mbps for VLAN3).

Regards.

Peter Paluch · ‎02-21-2013

Hello Miguel,

I apologize for answering somewhat late...

We can use even routers with only two onboard FE ports.

Yes. In fact, with VLANs, you can use just a single FE/GE port because the differentiation will be done using VLANs. Of course, the total bandwidth of the port will be shared so you have to weigh the convenience of using just a single port against its loading.

One question: all ISR routers from first generation (1841, 2801, 2811, 2821, 2851...) are PBR and VRF capable?

Yes, they are. Any 12.4 IOS or newer with Advanced IP Services feature set should be fine.

Best regards,

Peter

jawad-mukhtar · ‎02-21-2013

Three VLANs and three internet connections. I This so you should load balanace between three internet connections & also if any of the Internet goes down, users to be shifted to other.

If u have another Router You can use in Active and Standby mode by runing HSRP. This will it will provide you redundancy.

Jawad