We help IT Professionals succeed at work.

2 vlans and one internet connection

huffmana
huffmana asked
on
166 Views
Last Modified: 2018-09-06
Cisco Network Question:  2 vlans and one Internet connection

I need to set up a guest network for access to the Internet-only.  The network configuration is:
-  COX Internet
-  RTR_FW: Meraki MX64
-  Core_Switch: WS-C2960X-48FPD_L:  LAN-base
-  Distribution_Switches: WS-C3560CG-8PC-S: IP-base

We presently have one external IPv4 address and use 192.168.168.0/24 internally for operations.

The 2960X is a layer 3 capable switch.

Is there a way to route another network VLAN, something like 172.16.168.0/24, to the Meraki RTR Internet connection.  The Meraki is presently port mapping the external address to the 192.168.168.0/24 network with the Default router of 192.168.168.1.  I used a trunk to the Meraki RTR-FW from the 2960X and it works....

Or do I need to add a RTR and use two virtual interfaces?
Comment
Watch Question

SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
I would change the connection between the Meraki and 2960 to a routed connected.  Put a /30 between them and change the port on the 2960 connected to the Meraki to a routed port.

I would then add the additional guest vlan  and VLAN interface on the 2960. Add an ACL to the Guest VLAN interface restricting access to and from the operations vlan, but permitting to any for the purpose of internet access.

Then add a default route on the 2960 with a next hop pointing to the Meraki ip of the new /30 subnet. On the Meraki, add two static routes for the operations vlan and guest vlan with next hops to the 2960's ip of that new /30.
Andy BartkiewiczNetwork Analyst

Commented:
I don;t think so, I don't believe the 2960x has the ability to NAT. And the RTR_FW: Meraki MX64 is very limited.
huffmanaSystem Admin and Network Engineer

Author

Commented:
Soulja so it would look something like this?

192.168.168.0/30    192.168.168.0-192.168.168.3         4 hosts   192.168.168.1 ? Default Router  
192.168.168.0/24    192.168.168.0-192.168.168.255  256 hosts  192.168.168.1 ? Default Router  

meraki <-> RTR Gi0/1.30 192.168.168.0/30                                      VLAN30 ACL allow 192.168.168.0/30
                                                                              <-> SW 2960X_Trunk
             <-> RTR Gi0/1.24 192.168.168.0/24                                      VLAN24 ACL ????????????????????

These are overlapping networks and the router would not know how to route them?

are routes in the RTR sequential?  
outside coming in:
route 192.168.168.0/30 192.168.168.2 (SW VLAN10 ip addr 192.168.168.2/30)
route 192.168.168.0/24 192.168.168.4 (SW VLAN24 ip addr 192.168.168.2/24)

The switch will not let me do this?
Sr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
huffmanaSystem Admin and Network Engineer

Author

Commented:
Soulja, brilliant :-)  This really looks like it will work.  So the Meraki will NAT both 192.168.168.1/24 and 192.168.170.0/24 to a single outside ip address?  192.168.1.2 is the 2960X side of the Meraki<->2960X interface?

I'll have to get a Meraki off of ebay and test this.  I can use cheap FastEthernet port stuff just for testing, that will keep the price down.  

I'd have to use only static ip addresses because the Meraki is providing DHCP right now (pool 192.168.168.70-192.168.168.140).  I'll have to ask if this is OK.

if I were to stick in a router(s) like a cisco 2600 for a DCHP server where would I put it (them).  As I remember, Cisco routers only provide 1 DHCP server.  So I'd need two routers?  Only the guests need DHCP and they are throttled at the Meraki to 100mps anyway so it can be a cheap router....
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Soulja, brilliant :-)  This really looks like it will work.  So the Meraki will NAT both 192.168.168.1/24 and 192.168.170.0/24 to a single outside ip address?  192.168.1.2 is the 2960X side of the Meraki<->2960X interface?


Yes, the Meraki should be able to nat over load for both subnets without issue to one single public address.


if I were to stick in a router(s) like a cisco 2600 for a DCHP server where would I put it (them).  As I remember, Cisco routers only provide 1 DHCP server.  So I'd need two routers?  Only the guests need DHCP and they are throttled at the Meraki to 100mps anyway so it can be a cheap router....

I am pretty positive you can configure the 2960x to distribute DHCP addresses, so no need for a router.
huffmanaSystem Admin and Network Engineer

Author

Commented:
WOW a switch that will run a DHCP server, I never though of that.

Your the best, thank you for your help.  Allan
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Yeah, don't quote me on that. It should be able to. If no, I know for sure you can configure dhcp relay on the vlan interfaces and just forward DHCP to your Meraki or whatever is dishing dhcp addresses.
huffmanaSystem Admin and Network Engineer

Author

Commented:
Brilliant solution, Soulja is the best network guy around.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions