cisco router configuration

I have 10 cisco 3524 switches that I've configured with various VLAN's (vlan 10, 20, 30 and so forth). Unfortunately, they're L2 switches and cannot route traffic amongst vlans.  The idea was to connect it to the TZ210 router from Sonicwall but the TZ series does not have the feature to create sub interfaces vlan routing (only the NSA series do--which are too expensive).  

So, the solution was to have a cisco 2650 router in the middle to support the multiple VLANs only, and have the tz 210 take care of all other routing, intrusion detection, vpn, etc features.  
Here's the topology:  Internet-----TZ 210 Router-----Cisco Router (2651)----cisco switches (3524's).    Subnet is a /24.

Question 1: Since I only need to configure the cisco 2651 to support multiple VLAN's---what all do i need to configure to make it functional? Do i even need Nat, ip route--inside, outside as I would if it was to perform as a sole router?  
I was thinking of making FE0/0 connect to the TZ 210 with the IP from the LAN (same subnet---ex. FE0/0 ip--  and the tz210's IP: and FE0/1 ( connect to the switch (, not enable NAT and just have sub interfaces on FE0/1 for each Vlan. Am I on the right track?    
I think the easier question is, what steps (Outline) are needed to connect the above topology on the cisco 2651 and the TZ 210 to the switches while supporting the VLANs.
Your help is much appreciated!
Who is Participating?
I have a client with a similar configuration only our layer 3 switch is a 3Com not a Cisco.  The 3Com has a gateway for Internet traffic of which is the LAN interface IP address.  The 3Com has on that subnet.  To the VLAN networks, they know the 3Com as  It looks like this:

SW LAN> 3Com Layer3 Switch>switches

We were using the NSA (we had a Pro previously) as the router, but moved this function to the 3Com layer 3 switch to get that extra stress off the SW.
"I was thinking of making FE0/0 connect to the TZ 210 with the IP from the LAN (same subnet---ex. FE0/0 ip--  and the tz210's IP: and FE0/1 ( connect to the switch (, not enable NAT and just have sub interfaces on FE0/1 for each Vlan. Am I on the right track?"

This is exactly how I would do it, but I would like to clarify a few things.

Firstly, just in case you did not know, when creating sub interfaces you should not give the physical interface an IP address. e.g do not give fe0/1 an IP, give an IP to fe0/1.1, fe0/1.2, etc.

Judging by this comment:
"FE0/1 ( connect to the switch ("

I assume the 10.1.10.x network is your management network? If so, you should give the IP address to fe0/1.1

Also, once you have the inter-vlan routing working (that is what they call the process of using a router to allow PCs in different VLANs to talk to one another), you should include a static route that points all of you non-local traffic to the tz210. As you have suggested, the tz210 will be plugged in to fa0/0 so you can enter the static route in one of two ways:

ip route


ip route fa0/0

I personally prefer to use the first example.

Also, to answer your question, no you will not need to perform any NATing on the Cisco.

Good luck, and let us know how you go.
Keep in mind that L3 switch always provide better performance that performing intervlan routing on the router!
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Q1. Yeah, let the TZ210 take care of your firewall protection and routing to and fro internet. Let the TZ210 take care of NATting too.
       You need a default route on the cisco router pointing to the TZ210.
      ip route

As you suggested configure the router interface facing the switch as trunk.  e,g
interface FastEthernet0/1
 no ip address
 no shutdown
! this is for vlan10
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address
! this is for vlan20
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address
! this is for vlan10
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address

Hope I have been able to answer your query.
seven45Author Commented:
Sorry for the delay,  I'll be trying some of the above suggestions on Wednesday and will post back if I run into any problems.
I did get to briefly try creating the sub interfaces----i was able to create them successfully with teh to FE0/1.1 on the cisco router 2650. However, when I tried assigning an ip ( to FE0/0 (the one that will connect to the TZ210), I was unable to because its on the same subnet.   Do I need to put  the FE0/0 of the router and the TZ210 on a different subnet to make it work, or am I missing something else.
Thanks in advance for your replies-----(they've helped me tremendously so far).  

Apparently you can't assign 2 interfaces of a router to same subnet ; that is why it's called a router; it routes packets between it's interfaces whihc should be in different subnets. So the interface facing the TZ210 should  be on different subnet with f0/0 but on same subnet as the interface on the TZ210
Thanks for the points and glad we could help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.