Solved

Vlan translation

Posted on 2009-04-14
13
606 Views
Last Modified: 2012-05-06
I have an internet connection with a supplied vlan of 500, i have a switch with 2 vlans (502,503)
I want to perform translation so 502 and 503 have access to the internet. How do i perform this.
I have both vlans trunked to the router on fe 0/1 and vlan 500 (internet) coming in on f/e 0/0
0
Comment
Question by:v46n
  • 6
  • 6
13 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24138951
The router simply needs to route between the subnets.  Does the router have a default route via your ISP's gateway out fa0/0?  Is the router configured to NAT traffic from VLAN 502/503?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24138973
The inside vlan interfaces allowed to nat need a 'nat inside' statement.

The outside interface needs a 'nat outside' statement.

If you have an ACL that explicity defines what networks can nat, you need to add the addresses in use by the vlans.
0
 
LVL 2

Author Comment

by:v46n
ID: 24139153
the router has nothing defined right now.  The challenge is this is an isp envirorment where the vlans need to receive an ip address from our public dhcp serve on vlan 500 and i want to make sure nothing is blocked to the clients.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24139176
Just define a scope on the DHCP server for the VLAN 502 and 503 subnets and add the "ip helper-address <public DHCP server ip address>" command to both VLAN502 and VLAN503 subinterfaces on the router.  Nothing is blocked by default on the router.
0
 
LVL 2

Author Comment

by:v46n
ID: 24139226
ok so by defining the interface vlan 502 and 503 as inside and vlan 500 as outside the vlans will automatically be translated?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24139257
No, there is a little more to it than that.  You want to NAT the traffic?  Are the VLAN 502 and 503 subnets private? and you want to NAT them to a public IP/pool? or they are public address space? but the clients need to grap the public IP's via DHCP?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 2

Author Comment

by:v46n
ID: 24139373
We have wireless clients that connect to a tower supplied with an internet vlan of 500. The tower has 2 base station radios each on their own vlan. Before we had everyone on the same vlan. We want to seperate each base station and each tower so that the only common thing is they all go out on vlan 500
0
 
LVL 2

Author Comment

by:v46n
ID: 24139387
We have a public pool of ip addresses
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24139427
Okay, so I assume the Wireless clients get a public IP via DHCP then, right?  So, you need to configure the two subinterfaces with a different public IP subnet and then use the "ip helper-address" command to forward DHCP requests to the DHCP server on VLAN 500.  If public IP's, no NAT is required on the router.
0
 
LVL 2

Author Comment

by:v46n
ID: 24139432
Really trying to prevent clients from talking to each other and reducing unnecessary network talk
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24139493
Okay, so you need to also add an access-list on each subinterface to restrict traffic to only the Internet.

For example (502 is 1.1.1.0/24 and 503 is 2.2.2.0/24).

ip access-list ext internet-only
deny 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
deny 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip any any

int fa0/0
ip access-group internet-only in


int fa0/1
ip access-group internet-only in
0
 
LVL 2

Author Comment

by:v46n
ID: 24139682
They will actually be on the same subnet since we only have 1 class c block of public ip addresses. We could actually even seperate dhcp pool to each tower and each router.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24139750
Well, you can either split the class C in half and put half the subnet on the vlan502 subinterface and the other half on the vlan503 subinterface or you can use one subnet and bridge the two subinterfaces but this really provides no separation between the two LAN's meaning both LAN's can communicate fully.  You might as well be using one VLAN again...
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now