Avatar of huffmana
huffmana
Flag for United States of America asked on

2 vlans and one internet connection

Cisco Network Question:  2 vlans and one Internet connection

I need to set up a guest network for access to the Internet-only.  The network configuration is:
-  COX Internet
-  RTR_FW: Meraki MX64
-  Core_Switch: WS-C2960X-48FPD_L:  LAN-base
-  Distribution_Switches: WS-C3560CG-8PC-S: IP-base

We presently have one external IPv4 address and use 192.168.168.0/24 internally for operations.

The 2960X is a layer 3 capable switch.

Is there a way to route another network VLAN, something like 172.16.168.0/24, to the Meraki RTR Internet connection.  The Meraki is presently port mapping the external address to the 192.168.168.0/24 network with the Default router of 192.168.168.1.  I used a trunk to the Meraki RTR-FW from the 2960X and it works....

Or do I need to add a RTR and use two virtual interfaces?
CiscoNetworkingTCP/IP

Avatar of undefined
Last Comment
huffmana

8/22/2022 - Mon
Soulja

I would change the connection between the Meraki and 2960 to a routed connected.  Put a /30 between them and change the port on the 2960 connected to the Meraki to a routed port.

I would then add the additional guest vlan  and VLAN interface on the 2960. Add an ACL to the Guest VLAN interface restricting access to and from the operations vlan, but permitting to any for the purpose of internet access.

Then add a default route on the 2960 with a next hop pointing to the Meraki ip of the new /30 subnet. On the Meraki, add two static routes for the operations vlan and guest vlan with next hops to the 2960's ip of that new /30.
Andy Bartkiewicz

I don;t think so, I don't believe the 2960x has the ability to NAT. And the RTR_FW: Meraki MX64 is very limited.
huffmana

ASKER
Soulja so it would look something like this?

192.168.168.0/30    192.168.168.0-192.168.168.3         4 hosts   192.168.168.1 ? Default Router  
192.168.168.0/24    192.168.168.0-192.168.168.255  256 hosts  192.168.168.1 ? Default Router  

meraki <-> RTR Gi0/1.30 192.168.168.0/30                                      VLAN30 ACL allow 192.168.168.0/30
                                                                              <-> SW 2960X_Trunk
             <-> RTR Gi0/1.24 192.168.168.0/24                                      VLAN24 ACL ????????????????????

These are overlapping networks and the router would not know how to route them?

are routes in the RTR sequential?  
outside coming in:
route 192.168.168.0/30 192.168.168.2 (SW VLAN10 ip addr 192.168.168.2/30)
route 192.168.168.0/24 192.168.168.4 (SW VLAN24 ip addr 192.168.168.2/24)

The switch will not let me do this?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
Soulja

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
huffmana

ASKER
Soulja, brilliant :-)  This really looks like it will work.  So the Meraki will NAT both 192.168.168.1/24 and 192.168.170.0/24 to a single outside ip address?  192.168.1.2 is the 2960X side of the Meraki<->2960X interface?

I'll have to get a Meraki off of ebay and test this.  I can use cheap FastEthernet port stuff just for testing, that will keep the price down.  

I'd have to use only static ip addresses because the Meraki is providing DHCP right now (pool 192.168.168.70-192.168.168.140).  I'll have to ask if this is OK.

if I were to stick in a router(s) like a cisco 2600 for a DCHP server where would I put it (them).  As I remember, Cisco routers only provide 1 DHCP server.  So I'd need two routers?  Only the guests need DHCP and they are throttled at the Meraki to 100mps anyway so it can be a cheap router....
Soulja

Soulja, brilliant :-)  This really looks like it will work.  So the Meraki will NAT both 192.168.168.1/24 and 192.168.170.0/24 to a single outside ip address?  192.168.1.2 is the 2960X side of the Meraki<->2960X interface?


Yes, the Meraki should be able to nat over load for both subnets without issue to one single public address.


if I were to stick in a router(s) like a cisco 2600 for a DCHP server where would I put it (them).  As I remember, Cisco routers only provide 1 DHCP server.  So I'd need two routers?  Only the guests need DHCP and they are throttled at the Meraki to 100mps anyway so it can be a cheap router....

I am pretty positive you can configure the 2960x to distribute DHCP addresses, so no need for a router.
huffmana

ASKER
WOW a switch that will run a DHCP server, I never though of that.

Your the best, thank you for your help.  Allan
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Soulja

Yeah, don't quote me on that. It should be able to. If no, I know for sure you can configure dhcp relay on the vlan interfaces and just forward DHCP to your Meraki or whatever is dishing dhcp addresses.
huffmana

ASKER
Brilliant solution, Soulja is the best network guy around.