[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1005
  • Last Modified:

Help Configuring Cisco 871 (default IOS) - Primary IP and Secondary Public Subnet

Here is basically what we are trying to do with this router.

1.  Route the primary IP address to a private DHCP block for all station computers to use as internet browsing. Providing the DHCP service via one of the FastEthernet Ports.  This will interface with a Cisco 48 port switch on this subnet only.

2.  Route the secondary BLOCK of PUBLIC IP addresses to one or 2 specific devices. I would also like to give "priority" to this block of IP's, or at least the IP we have the decoder on.  This will also interface with a Separate switch with the second subnet only.

Primary:
Interface Ip: 24.X.X.6
Subnet mask: 255.255.255.X
Gateway: 24.X.X.5
DNS 69.X.X.2)

Secondary:
Subnet of Primary: 24.X.X.192/29 w/ 6 usable ips Usable IPs:24.X.X.193-198 Subnet mask: 255.255.255.255.X
Gateway: 24.X.X.193
Broadcast: 24.X.X.199
DNS 69.X.X.2)

I believe in order to do this we would need the "Advanced IP Services Cisco IOS Software Image"? Is this correct, or is this setup possible with the "Advanced Security Software Image (Default Image) that comes with this model? I'd be grateful if you could give help on the actually config of this.

Thanks

Joe
0
jwinston27
Asked:
jwinston27
  • 9
  • 9
1 Solution
 
tvman_odCommented:
I think you don't need any advanced features for your task

1. How to run DHCP service from the router
Check this out for comprehencive information http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/easyip2.htm
And you need to configure NAT (network address translation) for your private network
http://www.cisco.com/warp/public/556/12.html

2. For your public block you don't need to do anything. Just make sure it's assigned to you by ISP. One of the addresses usualy the first one should be configured on the ethernet interface facing to the secondary network. From your post it should be 24.X.X.193
Regarding priority, you need to specify what kind of priority we are talking about. It might be very simple or complex solution involving some arrangements with your ISP.
0
 
jwinston27Author Commented:
Thanks for the reply Tvman..
I should have made this more clear. The two outside ip blocks are in different subnets. So it would be a little different setup, wouldnt it?

Primary:
Interface Ip: 24.X.X.6
Subnet mask: 255.255.255.X
Gateway: 24.X.X.5
DNS 69.X.X.2)

Secondary:
Subnet of Primary: 24.Y.Z.192/29 w/ 6 usable ips Usable IPs:24.Y.Z.193-198 Subnet mask: 255.255.255.255.X
Gateway: 24.Y.Z.193
Broadcast: 24.Y.Z.199
DNS 69.X.X.2)
0
 
tvman_odCommented:
Could you describe the situation with the first block? How it's getting delivered, what type of interface do you have. Do you use private IPs and if you don't what is the reason to use public IPs for endusers instead of NAT?
I need to know hardware configuration of your 871 and equipment connected to its interfaces.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
jwinston27Author Commented:
Basically the Primary block is the main IP block (FE4) given to us. This side will be separated into vlan1 (ex. FE0, FE1)with dhcp. We then had to order a second block of public IP's, but the ISP wasn't able to give us IP's in the same subnet. So they sub netted a block off of the primary block. This was to separate the two networks on the 10MB pipe. The secondary block (FE2, FE3) will be used for a 8MB video feed, and the primary 2MB side will be internal office traffic. So basically we just need to figure out the secondary block and how to set it up on this router. Wouldnt we need to have the ability of more than 1 vlan? Right now the 871 we have only allows 1 vlan. I hope this is what you were looking for.
0
 
tvman_odCommented:
I do not recommend to route VLANs on 871, you may face some performance issues.

Still you don't need to do anything, just assign 24.Y.Z.193 address to the interface facing toward LAN where you want to have the secondary block.

Once again, what is the reason to have public IPs assigned to office stations? In most cases it's pure waisting. NAT will work for 99.9% of office applications, unless your users run servers on their computers which should be accessible from the public Internet.
0
 
jwinston27Author Commented:
The secondary public IP's will be used for video feed devices, that need to be accessible by separate public IP's. Your method makes sense, but how do I assign both the primary and secondary IP to the interface and then route them to their designated lan's? If im not getting it, I apologize as Im still fairly new to this. I really appreciate your help.

Joe
0
 
tvman_odCommented:
You don't need to apologize, that's the whole point of this forum.
You said that secondary network will be connected to another interface on the router and a separate ethernet switch. So your ISP will forward all packets with this IPs to your router, the router will receive a packet and detect that network is directly connected to one of the interfaces. Then it will just forward the packet to the final destination. Replies will go the same way, a host will send all the packets to the default gateway, which is 24.Y.Z.193 assigned to your router. The router will see that the packet addressed to a host in the publick Internet and will use it's own default gateway pointing to the external interface to your ISP.

There are different options, so it might be built in different way, let's say, using virtual bridge interfaces, but I need to know exact hardware and software configuration to get you situation resolved.

0
 
jwinston27Author Commented:
Actually..The fiber connection that comes into the facility only has one wan interface connection.. From there they have internally separated the two subnets (24.X.X.5 is primary and 24.Y.Z.193 hangs off of the primary.) So from that wan interface the ISP has setup we are coming into the cisco 871's wan interface. Then we would like to separate the primary from the secondary IP blocks.  From there one of the fast ethernet ports would go to a 48 port switch for internal

So what you're saying to do is just set the wan interface on the cisco 871 to the secondary IP block? Then we can use the 6 outside IP's if needed, and from there anything coming into 24.Y.Z.193 from outside will come through 24.X.X.5 and be forwarded to 24.Y.Z.193, vise versa.
0
 
tvman_odCommented:
Not exactly
You keep your WAN as is. Look at the diagram


WAN 24.X.X.5 ------->24.X.X.6 Cisco 871 --------->(NAT) LAN0 (Private IP 192.168.x.x or 10.y.y.y)
                                                             |
                                                             |
                                                         LAN1
                                                             |
                                                     24.Y.Z.193
                                                             |
                                            (Secondary LAN 5 IPs)
For you small device it might be VLAN configuration and you can consider this public block of addresses as DMZ.
Do you configure it with SDM or CLI?
Actually you may want to assign one of the LAN ports to VLAN2 and put 24.Y.Z.193 as IP of interface Vlan2. It will be as a virtual port wisible throuth that dedicated ethernet port
0
 
jwinston27Author Commented:
Your diagram clears this up for me and makes a lot of sense. I have used both SDM and CLI. I prefer SDM because Im still a novice using the CLI, but if you have any suggestion, Im open to learning more about CLI.  We actually just sent the Cisco 871 default IOS model back for the advance IP IOS model, which has the extra Vlan configuration. I will be following your model and programming it tomorrow. I really appreciate your help with everything. I know I have already learned a lot going through all this.
0
 
tvman_odCommented:
With CLI try to create vlan 2
one of the ports will be like

vlan 2
 name DMZ

interface fa1
 switchport mode access
 switchport access vlan 2

interface Vlan2
 ip address 24.Y.Z.193 255.255.255.248

ta-da-a-a!
I've never seen this small routers, but it's very basic and should work with ani IOS device.
0
 
jwinston27Author Commented:
Tvman....one question...Ive added vlan2 ( ip address 24.Y.Z.193 255.255.255.248)..how do I route that vlan2 out through the wan..Dont i have to go through its gate (24.Y.Z.192)  then through the wan?
0
 
jwinston27Author Commented:
The config:

Building configuration...

Current configuration : 4466 bytes
!
! Last configuration change at 12:29:44 PCTime Tue Oct 23 2007 by admin
! NVRAM config last updated at 12:29:50 PCTime Tue Oct 23 2007 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname WLTZ_1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$Jlh8$wkCmjFh6Dd9llxCTghyOt.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 69.1.30.2 69.1.30.3
   default-router 10.10.10.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 69.1.30.2
ip name-server 69.1.30.3
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2920800478
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2920800478
 revocation-check none
 rsakeypair TP-self-signed-2920800478
!
!
crypto pki certificate chain TP-self-signed-2920800478
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32393230 38303034 3738301E 170D3032 30333031 30303035
  35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39323038
  30303437 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AD87 92E0EDDB 956FEC56 0C74971F CC907973 7ADB59B4 C32CACF8 4A3D9FC3
  01EDEAE2 56E3E2D1 0FAA8C3D EE40A625 746E6679 1D30D026 3EC58CAF C7922CEE
  4807BDC7 3CB24698 8C3BCB74 EF92784B A1C02997 4B35B7CA 5C0FB060 4DF81979
  886871FC B6A369D5 7F6F6F9E 2B355087 8A0BF4AE 335F4E98 E80C7962 43FFAFE6
  728F0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 146F4501 DF53F909 87AD9E6E A617C814 E407F944
  BB301D06 03551D0E 04160414 6F4501DF 53F90987 AD9E6EA6 17C814E4 07F944BB
  300D0609 2A864886 F70D0101 04050003 8181003E F17890B8 65FC7F8D 6038921B
  F53E1D52 C526AEAC 39A60BDA 3A817812 3AD50C1E 1496AF18 E38902CB 532EE865
  EE8781D2 50413142 FCA2EF32 E0E25CB7 005573B5 E18288A9 E094047D A29B6A67
  E3F6C7D3 3D00327B 4321A0FC CC7B8286 08DDE008 917C3CEB FF9F801A 57FE9830
  6854CCA1 D98C3B90 CFD18452 C62D8EAC 9FCA4C
  quit
username admin privilege 15 secret 5 $1$3myA$37nAZBzm1oYEdFtWT.Ooe.
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 24.X.X.6 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 24.Y.Z.193 255.255.255.248
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.X.X.5
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
 
tvman_odCommented:
Because it will be processed by the same routing kernel, you don't need to tell it anything extra.

show ip route

will show all the routes which known by the router.

Just make sure that your ISP does routing for 24.Y.Z.192 through 24.X.X.6
0
 
jwinston27Author Commented:
Ok..sounds good...does my config look ok to you? I've setup FE2 and FE3 for Vlan2. What is the CLI command to set Vlan2 to DMZ? I tried name dmz but it didnt work.
0
 
tvman_odCommented:
:)
DMZ means (De-Militarized Zone), so it's like a protected area with public access.

Config is OK, at least I don't see any obvious mistakes.
A little note, DO NOT connect both FE2 and FE3 to the same switch assuming that you get more bandwidth. STP (spanning tree protocol) will block one of the ports in order to avoid loops in the ethernet media. If active port dies, STP will unblock the second port.
0
 
jwinston27Author Commented:
Just so everyone knows...Tvman's instructions worked great. Sent the router to our facility and it was plug and play. Hats off for TMan. Thanks again.

Joe
0
 
tvman_odCommented:
you are very welcome.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 9
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now