Need Advice

Hello All,

This is NOT an exam question

, just a problem I am assisting with.

I have scenerio, I have an Edgemarc E-3200 connected to a Cisco Catalyst switch. Connected to the switch are 2 IP ranges, one of them private (192.168.0.0/24) and the other a public IP range with a /27 mask. I want to replace the Edgemarc with a Cisco 2811 router, which has 2 fast ethernet ports. FA0/0 will be the port accessing the WAN provided by COX Cable, and the FA0/1 will be the internal port connected to the switch. What do you recommend I should do with the 2811 to make both IP ranges talk out to the internet?

Private Range Inside / 24 \____________ WAN
Public Range Inside / 27 /

Find more posts tagged with

Comments

BubbaJ

The answer depends on on how you have the networks configured on the switch, and how they get off the switch.

Are you using VLANs? Do they trunk to the current router?

Danman32

First off, you have 2 subnets on the same physical lan? Why?
This can be done but it is bad form, though you can have VLANs which are essentially separate lans. Also, an end-node host (IE a PC) can generally only be on one of the lans at any one time.

Your private addresses cannot go over the internet without using NAT.
Actually it is more accurate to say that nodes with private IPs cannot send packets over the internet without their address being translated by a NAT.

Mr Big

Currently, there are no VLANS, I am not sure how the configuration is in the EdgeMarc, I'm not even going to try, it's pretty flakey which is why we are replacing. I can create a VLAN no problem, but how do I get these two Dynamic IP ranges one public and one private with two mask's to talk out to the WAN?

Mr Big

Danman32 wrote:

First off, you have 2 subnets on the same physical lan? Why?
This can be done but it is bad form, though you can have VLANs which are essentially separate lans. Also, an end-node host (IE a PC) can generally only be on one of the lans at any one time.

Your private addresses cannot go over the internet without using NAT.
Actually it is more accurate to say that nodes with private IPs cannot send packets over the internet without their address being translated by a NAT.

They are scared of change, they have the public range for servers, and they don't want to reconfigure them to private ip's because everything in the network is configured to point to these IP's. It's 30 hosts.

BubbaJ

You can use secondary addressing on the router port, or you can use 802.1Q to trunk to the router and use subinterfaces on the router. I would recommend trunking.

You will have to NAT to let the devices on the private network access the Internet. If the privately addressed devices can get to the Internet today, the current router is using NAT so it is not a change.

Mr Big

BubbaJ wrote:

You can use secondary addressing on the router port, or you can use 802.1Q to trunk to the router and use subinterfaces on the router. I would recommend trunking.

You will have to NAT to let the devices on the private network access the Internet. If the privately addressed devices can get to the Internet today, the current router is using NAT so it is not a change.

Can you direct me to some references I can use to go about doing this? Excuse my ignorance if this is a stupid questions but, if I VLAN the private IP range, and VLAN the public IP range, then trunk them, to FA0/1.1 and FA0/1.2, how can I NAT if they are both in one trunk? Can this still be done?

Also, how do I make the two trunks talk to a WAN IP with a /29 subnet? It's pretty crazy, I know

Mr Big

Would IP route to gateway 0.0.0.0 work? Just to make things easier instead of trunking?

Danman32

You would designate the FA0/1.x that has the private address as being on the inside. The wan interface would be on the outside.

I am still unsure of the config you had and the config you want though.
Are we dealing with 3 logical interfaces on the router: one for the WAN, one for the private address and one for the public?
If so, I am confused about the wan interface network number and the public LAN network number. If it is the same network, it shouldn't be routed.

Mr Big

Danman32 wrote:

You would designate the FA0/1.x that has the private address as being on the inside. The wan interface would be on the outside.

I am still unsure of the config you had and the config you want though.
Are we dealing with 3 logical interfaces on the router: one for the WAN, one for the private address and one for the public?
If so, I am confused about the wan interface network number and the public LAN network number. If it is the same network, it shouldn't be routed.

There are 2 interfaces on the router, one for WAN, and one for private and public, to talk to the WAN.

The config I want is the simplest way to have both the private IP range (192.168.0.100 - 200 with a /24 mask) and an internal but public IP range of 29 ip's with a mask of /27 to talk out to the WAN with a mask of /29

BubbaJ

I think you should trunk and use NAT on the private subinterface. This seems to be the most supported way, and someone coming in from the outside to service this will be familiar with this type of configuration.

Mr Big

BubbaJ wrote:

I think you should trunk and use NAT on the private subinterface. This seems to be the most supported way, and someone coming in from the outside to service this will be familiar with this type of configuration.

Will different subnets matter when trunking? How about the public IP range, I was thinkin of putting the public servers in front of the router exposed to the WAN, however it's more of a security issue, and I'm not sure if it's an issue.

BubbaJ

Mr Big wrote:

Will different subnets matter when trunking?

That is what trunking is for. Trunking is differrent VLANs (networks) riding on the same connection to another device. When the trunk goes to a router, the separate VLANs are broken out into separate logical interfaces (subinterfaces) that work like regular interfaces (with very few exceptions that don't apply here).

This configuration will be very familiar to anyone that should be allowed to touch your router.

Mr Big

Another stupid question. What will " IP Route 0.0.0.0 0.0.0.0 0.0.0.0" do? Will it have any ip inside of the network talk to any ip outside?.

Danman32

If you have 2 physical interfaces, and you trunk one of them into 2 virtual VLAN interfaces, that gives 3 logical interfaces.

You specified the IP range for the 2 sub-interfaces, but have not specified the WAN interface which has to be a different network. It is possible to take the WAN IP range and subnet it to a network behind the router. The ISP would probably need to be aware of your router for the public addresses behind the router.

Now you could put the switch in front of the router and have both router interfaces connect to the switch to route between the 2 subnets. However, your LAN is potentially exposed.