cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7828
Views
0
Helpful
23
Replies

Sharing internet access through a 3550 with 2 vlans. Help ><;

tobbelobbe
Level 1
Level 1

See topology attached.

Hey guys, I recently got an offer to help an friend setup their network. They have a locked Cisco Router which is from the ISP and its confed on a fa 0/0 interface to share Internet access on the network. The ip on that interface is 195.198.11.217 255.255.255.252 and i tried it with a PC (set my personal ip to .218 and entered their dns info (195.67.199.27) and it is working. The question is now. My friend found a 3550 laying around and since the ISP wont let them conf their router he wants to use the 3550 to create 2 vlans with internet access and without access to eachother.

Vlan 10 for the desktops and Vlan 20 for the wireless (Moving on to some netgear wireless switches) How would you configure the 3550 for this to work? I havent been into this stuff for years so im really uncertain on which would be the best approach.

Thanks to anyone who are willing to use their time to assist me!

See topology attached.

23 Replies 23

Dennis Mink
VIP Alumni
VIP Alumni

You would need to configure the two vlans and subnets, (of which VLAN 1 is already done?!).  I also assume you already have a default gateway pointing to your ISP 195.198.11.127.?!

your ISP will hand traffic over to 195.198.11.127 and you cant change that, not sure why you want the second 3550 for  you running out of ports?, cos if you dont, you dont need it

Please remember to rate useful posts, by clicking on the stars below.

I must have written something badly but i only have one 3550!

antonio.guirado
Level 3
Level 3

Hello,

I'd like tell you that is possible but I think there is a NAT problem. You could use routing features of 3550 and

even use ACL's to deny traffic between VLAN's. The main issue is your multilayer switch does not support NAT.

You need this feature to translate internal IP addresses to public ip address 195.198.11.218 that your ISP

let access to internet.

Regards.

Ah i see. I actually didnt know this model didnt support NAT. I havent gotten that far to start configuring it yet so i hadnt noticed myself. This means i need a new unit to handle the NAT.

Any suggestion on a cheap (Router?) Which i could use in this network to handle the needs of the network. Since the Layer 3 switch has most of the functions, Do i only need something simple that can handle the NAT? or is it just more worth it to buy a big router to handle everything?

Thanks again for responses!!!

Hello,

do you have a firewall?. I suggest you some linux-based machine. You can use it to perform NAT and access rules

to filter traffic as you want. You also can do this in windows but I recommend you linux. If you wan to buy a cisco device
it depend on your throughput and session number (NAT translation). Sincerely, the best solution in a firewall box

implemented in some OS that you feel confortable.

Regards.

We do not have a firewall ourselves. Its behind our control at the ISP. All i have atm is a 3550 and a ethernet cable from the ISPs router with an address which need to be translated. I am pretty sure a cisco product is prefered so that it can be further used in the future. Which one would you reccomend for this type of network?

'

Also, English is not my native language so excuse me if there is spelling or grammar errors!!

Thanks again!

Hello,

tell us something about your bandwidth and number users (to find out NAT entries number).

Regards

Hi, atm the bandwidth is 30mbit/s but can and will be increased to 100-1000 in the future. The number of users on the desktop vlan will be under 20. and on the wireless vlan there will be between 0 - 1000 ish.

Thanks!

I have now gained access to a cisco 881 router to help in the process. Even tho this made me even more confused.Its been years since i certiefied in ccnp and i havent been working with this since. Could someone give me an example of a conf to. Nat the external IP on 881 wan FA port. To 2 separate vlans with each their own dhcp pool which is shared to the 3350. I just need that working and im kinda puzzled where to start. Its a bit wierd to what im used to since the other FA interfaces on 881 is only layer 2. I assume you need to use vlan interfaces to nat inside etc?

I am willing to pay a smaller sum for someones quick assistance. This is a nonprofit projekt for a youth association and i might have gotten me into something i thought i could handle alone but i still want to help them since its for a good cause.

Hi Sebastien,

If you has access to the router you will need to configure router and switch like below:

ROUTER:

interface FastEthernet0/1

description TO_SWITCH

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

SWITCH:

!

interface FastEthernet0/1

description TO_ROUTER

switchport trunk encapsulation dot1q

switchport mode trunk

!

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

!

Regards,

Jan

shaun barrs
Level 1
Level 1

Hi Sebastien,

You can create 2 SVI on the 881 for the 2 vlans then create a trunk to the 3550. I used the 881 as the VTP server and created the vlans on here as well so that it will be replicated to the 3550.

I have added the config for both 3550 and 881 as a starting point for you, including dhcp pools and nat.

If you are going to be connecting AP's to the 3550, the ports I have put into vlan 20 fa0/13-23 would need to be configured as Trunk ports and not access ports.

881#
881#sh run
Building configuration...

Current configuration : 1527 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname 881
!
!
!
!
!
ip dhcp pool PC_VLAN_POOL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 195.67.199.27
ip dhcp pool WIRELESS_VLAN_POOL
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 195.67.199.27
!
!
!
!
!
!
!
ip name-server 195.67.199.27
!
!
spanning-tree mode rapid-pvst
spanning-tree vlan 1,10,20 priority 24576
!
!
!
!
interface FastEthernet0/0
description LINK TO ISP ROUTER
ip address 195.198.11.218 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1/0
switchport mode trunk
!
interface FastEthernet0/1/1
switchport mode access
!
interface FastEthernet0/1/2
switchport mode access
!
interface FastEthernet0/1/3
switchport mode access
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Vlan10
description PC VLAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface Vlan20
description WIRELESS VLAN
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end


881#

3550#
3550#sh run
Building configuration...

Current configuration : 2931 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname 3550
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
!
!
!
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/21
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/23
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.16.1.2 255.255.255.0
!
ip classless

!
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end


3550#

Hope this helps?

Regards,

Shaun

The 881 cannot handle IP addresses or subinterfaces on any FA interface other than the WAN one. So i'm not sure what you mean with "Interface fa 0/0/1" I only have access to 0 1 2 3 and 4(wan) interfaces. Appearntly the other 4 FA is switch L2 interfaces..

I have managed to setup the network with the help of Vlan interfaces on the router and a trunk to the switch. If i put in a PC on a vlan 10 port it gets the correct ip from 192.168.10.0 network etc.
I can ping from PC to all interfaces (Vlan 1,10,20 and ) Not sure if its because of the simple eigrp i wrote in or not tho. Gonna limit the access between vlans with access lists later. But the problem is the nat,
Altho i am testing it from home now and not on the location. So im not sure if i can configure it the way i would on location here when i get DHCP from my ISP. I just manually entered a IP from the DHCP network on my isp router here home.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: