Network setup layer 3 routing, vlans with Cisco 1841 and SG300-20

I am redesigning my home network and have put together a proposal of what I would like to accomplish.  This is a bit of a loaded question but I will try to explain as best I can.  If I need to split up the question, let me know as I am still novice with Cisco equipment.  

I have a Cisco 1841 router running IOS 12.4(15)T17 AdvEnterprise.  The router has two expansion modules - HWIC-AP-AG-A (WIFI) and HWIC-4ESW (4-port ethernet card).  I also have a Cisco SG300-20 switch with latest firmware 1.4.1.03.  I have console and GUI access to both the 1841 and SG300 up and running via Putty, Web, and Cisco Configuration Professional.

I bought the router and modules used so I don't have SmartNet.  Also, I am aware that the 1841 has a max speed of 38 Mbps at 64 byte packets.  My Internet speed is only 20 Mbps.  I will not be doing VPN in this setup.

My goal is to:
have the router run firewall and NAT from Internet.
Router network is 10.0.0.0/29 for 6 hosts - router, UTM, and SG300-switch
Create a VLAN10 for WIFI traffic 10.0.1.0/28 and serve DHCP to those clients
Create a VLAN20 for game traffic 10.0.2.0/29 and serve DHCP to those clients
Create a VLAN30 for lab network 10.0.3.0/26 - 62 hosts for virtual servers and workstations
Setup an Untangle box in bridge mode to act as UTM for traffic passing from router to SG300 switch

============================

What I need help with is:
The SG300 is in layer 3 mode and I would like it to route VLAN30 10.0.3.0 traffic to 10.0.0.0 network and then to Internet.
Create the WIFI VLAN10 network 10.0.1.0 on the router and route it to 10.0.0.0 and then to Internet.
Create the Game VLAN20 network 10.0.2.0 on the router and route it to 10.0.0.0 and then to Internet
Configure router to serve DHCP for 10.0.1.0 and 10.0.2.0
Configure the VLANs so they do not communicate with each other, I don't want the WIFI or Game network to see the Lab network

I have attached a Visio diagram to illustrate what I would like to do.  I'm hoping this is an ideal course of action and that I am not bat **** crazy.
Visio-Concept2.pdf
LVL 17
bigeven2002Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
I guess that This will have to be done from pieces. :)
Configure router to serve DHCP for 10.0.1.0 and 10.0.2.0
First, you need to exclude router (or any static IP address range from dhcp pool)
en
conf t
ip dhcp excluded-address 10.0.1.1 10.0.1.100
ip dhcp excluded-address 10.0.1.240 10.0.1.254

in this case DHCP pool is
10.0.1.101 - 10.0.1.239

Then you need to create pool itself
ip dhcp pool X
 network 10.0.1.0 255.255.255.0
 default-router 10.0.1.x   <---- actual IP address of default gateway for that subnet
 dns-server 8.8.8.8           <---- google DNS


The same patter configuration is for 10.0.2.0/24 network just change 10.0.1.0  to 10.0.2.0
JustInCaseCommented:
Create the WIFI VLAN10 network 10.0.1.0 on the router and route it to 10.0.0.0 and then to Internet.Create the Game VLAN20 network 10.0.2.0 on the router and route it to 10.0.0.0 and then to Internet
If I remember correctly VLANs should be create old school from privileged mode:
en
#vlan database
(vlan)#vlan 2
VLAN 2 added:
    Name: VLAN0002
(vlan)#apply
#vlan 3
VLAN 3 added:
    Name: VLAN0003
APPLY completed.
(vlan)#exit
APPLY completed.
# conf t
# interface vlan 2
# ip address 10.0.1.1 255.255.255.0   <--- default gateway for DHCP server :)
#interface vlan 3
# ip address 10.0.2.1 255.255.255.0

You can create as much VLANs as you want the same way (for SG300 network).
bigeven2002Author Commented:
Thanks for the responses.  I will review these tonight and report back as soon as possible.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

JustInCaseCommented:
Now...
if you use separate interfaces on LAN module (HWIC-4ESW) for each network internetwork traffic is on by default. To eliminate internetwork traffic you need to apply ACL to interfaces.
And also to enable nat you need to mark interfaces as inside (VLAN interfaces or LAN module interfaces) or outside (Link to ISP)

interface vlan 2
ip nat inside
ip access-group 100 in

ACL example - deny traffic from any ip address in 10.0.1.0/24 range to any 10.0.0.0/8 (any 10.0.0.0 subnet) and then permits traffic to any other destination
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip any any

The same pattern can be used for other VLAN filtering
 
You also need to create nat rules
ip nat source list 1 interface FaX/X overload

access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
!the same way enable nat for any other network that need access to internet

You need default route
ip route 0.0.0.0 0.0.0.0 x.x.x.x <--- x.x.x.x ISP address (you can find it using traceroute ..)
JustInCaseCommented:
If you use SG300 only for one VLAN (10.0.3.0/24) you don't need to use it in L3 mode. You need to use L3 only if there will be more than just one VLAN on it, but than parts of current configuration need to be changed.
And also, the easiest way to configure firewall on router is by using Cisco Configuration Professional.
bigeven2002Author Commented:
Great thanks.  So for my review tonight, do I need to change the sg300 back to L2 or can I leave it as L3?  In your proposed setup, will I need to set the switch's ip to be 10.0.3.x as opposed to 10.0.0.x?

On the default route, I was planning to have the wan interface fa0/0 get the ip from isp via dhcp so do I still have to get their ip via trace route?

From the setup above, I was going to have fa0/1 connect to the sg300 switch.  (There will be a bridged utm between fa0/1 and port 1 of the switch and so that utm will have a 10.0.0.x address.  Is that still correct with the acl statements above?
JustInCaseCommented:
So for my review tonight, do I need to change the sg300 back to L2 or can I leave it as L3?
If all ports are in VLAN 1 as access ports, no need to switch back to L2.
On the default route, I was planning to have the wan interface fa0/0 get the ip from isp via dhcp so do I still have to get their ip via trace route.
You can set default route to interface, but IP address is preferred. If you set default route as ip route 0.0.0.0 0.0.0.0 fa0/0 router will complain "%Default route without gateway, if not a point-to-point interface, may impact performance"
 :)
Is that still correct with the acl statements above?
Yes it is.
interface fa0/1
ip access-group x in
bigeven2002Author Commented:
Alright I think I got most if not all of the above implemented in my configuration.  I have attached my running config of what I have so far.

I still have a legacy IP listed as my home network is still a 192.168.x.x form currently and it will change to 10.0.x.x.

One other thing I wasn't sure about, I configured VLAN30 on the router for the lab network which is the servers and workstations connected to the SG300 switch.  Since the switch will be plugged into FA0/1 on the router, do I somehow need to configure FA0/1 to VLAN30 or will the router already know how to do that?

VLAN30 is the 10.0.3.x network so if the sg300 switch will have IP 10.0.3.2, will it still route through VLAN30 to to the Internet if plugged into FA0/1?
RunningConfig.txt
bigeven2002Author Commented:
I also forgot, on the IP route line above, you mentioned this format:
ip route 0.0.0.0 0.0.0.0 x.x.x.x

Open in new window


So after en and conf t commands, is that when I enter ip route or am I supposed to specify an interface first?  If the ISP IP address was 1.2.3.4 is this the correct syntax?

ip route 0.0.0.0 0.0.0.0 1.2.3.4

Open in new window

JustInCaseCommented:
So after en and conf t commands, is that when I enter ip route
Yes.
One other thing I wasn't sure about, I configured VLAN30 on the router for the lab network which is the servers and workstations connected to the SG300 switch.  Since the switch will be plugged into FA0/1 on the router, do I somehow need to configure FA0/1 to VLAN30 or will the router already know how to do that?
You can't do that, router will not allow the same IP range on 2 interfaces. So, you need to either use interface fa0/1 or use interface VLAN 30 for that VLAN (those are two different networks). Router is breaking broadcast domains.
VLAN30 is the 10.0.3.x network so if the sg300 switch will have IP 10.0.3.2, will it still route through VLAN30 to to the Internet if plugged into FA0/1?
The same as above, you should not be able to set the same IP range of addresses on two interfaces of the same switch. So, you can't do that. :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bigeven2002Author Commented:
Ok I think I understand.  Thank you very much for your help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.