Solved

Multiple Subnets with one router

Posted on 2007-11-25
6
10,623 Views
Last Modified: 2012-05-05
We are currently running a  really great switch with a really lame router in our office and I need to see if its possible to do a complicated configuration with this setup.

We have the following:
Cisco Catalyst 2950 Switch
Linksys wrt300n router
Cable internet connection

I have run into the need to setup 2 separate Windows Small Business Server 2003 networks using the equipment above.  I am a beginner to trunking and vlans and I'm wondering if it is possible to set something like this up.  I know that the cisco can to vlans but not exactly sure how to configure this (I think I've done it but not sure).  I'm also not sure how to make 2 vlans on 2 different subnets not see each other but see and use the same router (what ip should the router have?).  In the end I'd like to have something like the following:

Network 1
Windows Small Business Server as domain controller, dhcp, DNS etc.
@ IP 192.168.10.1, 255.255.255.0

Network 2
Windows Small Business SErver as domain controller, DHCP, DNS etc.
@ IP 192.168.1.1, 255.255.255.0

Both networks using Linksys WRT300n as the gateway to the internet (not sure what the IP of the linksys should be)

I think I've got the VLANs setup via cisco network assistant but can't be sure as I'm a noob.
Basically I left everything alone except gave port 24 (where the second SBS server will connect to) the following settings:
Admin Mode - Static Access
Static Access VLAN - 2
I also changed the settings of Port 1 to the following for trunking (this is the port that connects to the linksys)
Admin Mode - 802.1q Trunk
Trunk Allowed Vlans - ALL
Pruning Vlans - 2-1001
Native Vlan - 1

All other ports were left to their defaults which appear to be vlan 1

Currently the router is setup at IP 192.168.10.254

I've got one SBS working but it is on VLAN 1 and has an IP of 192.168.10.1,255.255.255.0
I can't seem to get the other SBS working on VLAN 2 with and IP of 192.168.1.1
I've tried with a subnet of 255.255.255.0 and 255.255.0.0 and still nothing.

Can someone please advise me as to how to get this working (or if its even possible).  Is my switch config right?  What should the router IP be?  What should the network settings on the SBS servers be?  What else am I missing.

Thanks much in advance for any help.
0
Comment
Question by:EnvisionTech
  • 3
  • 2
6 Comments
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 20348356
Do you have more than one WAN IP Address?  Because if you don't, then you cannot have multiple, fully-operational Small Business Server's running behind the same Internet connection.

That Catalyst Switch is making you think you have something valuable to help you with your solution, and by trying to make it do something it's not capable of is only going to further frustrate you.

If you do have more than one IP address available, then you need to get yourself another router and put a small switch BEFORE the two routers.

Then you will have the following:
                                 /---------- Router A ---- SBS A --->>> LAN A   (192.168.10.0/24 Subnet)
MODEM -- Switch ----
                                 \---------- Router B ---- SBS B --->>>  LAN B   (192.168.16.0/24 Subnet)

Your Subnet mask on both would be 255.255.255.0 and I suggest that you don't use the 192.168.1.0 IP Subnet in order to avoid conflicts with VPN Connections from remote locations using the same IP Subnet.

Jeff
TechSoEasy
0
 
LVL 4

Assisted Solution

by:CCIE8122
CCIE8122 earned 250 total points
ID: 20348357
So the 2950, as you are probably aware, will not do inter-VLAN routing.  This means that although you can create multiple VLANs on the switch, you have to trunk those VLANs to a layer-three device than can then route between them.  Fortunately, the 2950 does support 802.1Q trunking of VLANs.

Unfortunately, the Linksys will likely not even support VLANs or VLAN trunking, and it probably only has two logical interfaces (an Internet interface and a LAN interface, with the LAN interface tied to an internal switch that may have multiple ports).  So when you enable trunking on the Catalyst, all it is doing is autonegotiating the trunk type -- and since it sees no DTP PDUs from the Linksys, it just sends frames untagged with the native VLAN (VLAN 1), which is why it works, but VLAN 10 does not.

The upshot is that you would need three logical interfaces on the router to accomplish what you want to do: one for each VLAN (each of which would have a dedicated connection from the 2950 with the VLAN assigned to that port), and one for the WAN/Internet connection.

Only way around this is to upgrade either the switch or the router.  Probably your best bet is to upgrade the router (as the switch would be pretty expensive).  You could pick up like a Cisco 871 that has a four-port switch and an support for VLANs and 802.1Q.  You will need to be sure that you upgrade to Advanced IP Services IOS Feature Set, as the Base IP IOS Feature Set only supports 2 VLANs.

With the 871, you can assign make of the interfaces a VLAN trunk (with two subinterfaces, each having  an IP address) to the 2950, and another of the interfaces a routed port to the Internet/outside.  The 871 would route between all three logical interfaces by default, and you can simply configure ACLs to deny the traffic between the two Windows domains.

Then you just use Linksys as an 802.11n AP, not as a router anymore.

Sample code attached for 871 and 2950.

HTH

kr
!======== 871 Configuration: ========!
 

vlan 10

 name WIN1

 no shut
 

vlan 20

 name WIN2

 no shut

 

interface FastEthernet0

 description ****** 802.1Q Trunk to 2950 ******

 switch mode trunk

 switch trunk enc dot1q

 switch trunk allow vlan all

 no shut
 

interface FastEthernet1

 shut

 

interface FastEthernet2

 shut

 

interface FastEthernet3

 shut
 

interface FastEthernet4

 descr ****** Internet connection ******

 ip address 100.100.100.1 255.255.255.252

 no shut
 

interface Vlan10

 description ****** WIN1 ******

 ip address 192.168.1.254 255.255.255.0

 ip access-group WIN1_IN in
 

interface Vlan20

 description ****** WIN2 ******

 ip address 192.168.1.254 255.255.255.0

 ip access-group WIN2_IN in
 

ip route 0.0.0.0 0.0.0.0 100.100.100.2
 

ip access-list ext WIN1_IN

 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

 permit ip any any

 

ip access-list ext WIN2_IN

 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

 permit ip any any
 

!======== 2950 Configuration: ========!
 

vlan 10

 name WIN1

 no shut
 

vlan 20

 name WIN2

 no shut
 

interface FastEthernet0/1

 descrip ****** 802.1Q Trunk to 871 ******

 switch mode trunk

 switch trunk enc dot1q

 switch trunk allow vlan all

 no shut
 

interface vlan 1

 no ip address

 shut

 

interface vlan 10

 descrip ****** Management Interface ******

 ip address 192.168.1.253 255.255.255.0
 

ip route 0.0.0.0 0.0.0.0 192.168.1.254

Open in new window

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20348361
FYI, if you don't have more than one WAN IP Address, then you cannot receive inbound email for your second SBS's Exchange Server which uses port 25, and you wouldn't be able to provide Outlook Web Access which must run on port 443.  

A single WAN router can only NAT those ports to a single internal IP Address.

Other inbound ports could be changed, but without Exchange you don't really have much of an SBS running.

Jeff
TechSoEasy
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 79

Expert Comment

by:lrmoore
ID: 20349223
Agree with CCIE8122 that your router is the weak point here. Some Linksys routers will let you do a "hardware" DMZ where you could use two physical LAN ports, one connected to VLAN1 and one connected to VLAN2. This will let you assign a different IP subnet to the DMZ and use a 2nd public IP address for this subnet. Alas, your 300n is not one of these. It will only do a single DMZ "host" which is not at all what you need.

Options include Cisco gear - 837, ASA5510 (my favorite and recommended choice), Linksys RVOx series non-wireless routers, and I'm sure there are others but I'm partial to Cisco/Linksys.
 
Any one of these will solve both issues of being able to use multiple Internet IP's and take advantage of the VLAN's on the switch. Neither of which you can do with what you have.

You can still use the wireless features of the current router as a simple access point.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20354010
lrmoore and CCIE8122 are both looking at this from an ENTERPRISE mindset.  In a Small Business Server environment, a router costing $1,000 -$2,000 is unbelievably expensive and generally way too much for what is needed.  As it stands, the Cisco Catalyst 2950 Switch is much more than they probably need.  The ASA 5510 base model is built to handle up to 25,000 concurrent sessions.

With TWO SBS-based networks, there cannot be more than 150 total clients, and I'd suspect that the number is far less than that.  

His primary problem is that with a "Cable Internet Connection" rather than DSL, I'm doubtful if he has multiple Internet IP's... so that's the first order of business.

Jeff
TechSoEasy
0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20354654
uhhh . . . 800 series routers are pretty much small business/SOHO devices, making this a very *non-Enterprise* solution.

fact is, you already have a 2950 in place today.  if you were to follow TechSoEasy's design, you would have to go out and buy another SOHO router anyway, as well as an additional SOHO switch, adding multiple SOHO single points of failure into the network.

simplest design here is when you go buy that SOHO router, buy a Cisco 800, trunk it to the 2950, if you only have 1 public IP address, pay the extra few bucks a month for a block of 8 more and then you can NAT both SBS environments.

But the 2950 is already a sunk cost, and for an 871, here are today's CDW prices:
CISCO871-K9 = $460
S870AISK9-12409T = $122
TOTAL = $582

Again, not exactly a $1000-2000 enterprise solution.  But it is a good solid small biz solution with the fewest number of single points of failure.  And when you split it up between to orgs, $300 per network is not really too much to choke on, IMO.   Especially since it only costs you a few hundred more than going and picking up another Linksys router (which it sounds like you are already not too keen on) and switch, if you were to do it per TechSoEasy's recommendation.

And that's if you buy from a retail outlet.  You may even be able to save more if you buy the hardware portion from an ebay store, which plenty of small biz's do these days.

kr
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now