Link to home
Start Free TrialLog in
Avatar of huffmana
huffmanaFlag for United States of America

asked on

2 vlans and one internet connection

Cisco Network Question:  2 vlans and one Internet connection

I need to set up a guest network for access to the Internet-only.  The network configuration is:
-  COX Internet
-  RTR_FW: Meraki MX64
-  Core_Switch: WS-C2960X-48FPD_L:  LAN-base
-  Distribution_Switches: WS-C3560CG-8PC-S: IP-base

We presently have one external IPv4 address and use 192.168.168.0/24 internally for operations.

The 2960X is a layer 3 capable switch.

Is there a way to route another network VLAN, something like 172.16.168.0/24, to the Meraki RTR Internet connection.  The Meraki is presently port mapping the external address to the 192.168.168.0/24 network with the Default router of 192.168.168.1.  I used a trunk to the Meraki RTR-FW from the 2960X and it works....

Or do I need to add a RTR and use two virtual interfaces?
Avatar of Soulja
Soulja
Flag of United States of America image

I would change the connection between the Meraki and 2960 to a routed connected.  Put a /30 between them and change the port on the 2960 connected to the Meraki to a routed port.

I would then add the additional guest vlan  and VLAN interface on the 2960. Add an ACL to the Guest VLAN interface restricting access to and from the operations vlan, but permitting to any for the purpose of internet access.

Then add a default route on the 2960 with a next hop pointing to the Meraki ip of the new /30 subnet. On the Meraki, add two static routes for the operations vlan and guest vlan with next hops to the 2960's ip of that new /30.
Avatar of Andy Bartkiewicz
Andy Bartkiewicz

I don;t think so, I don't believe the 2960x has the ability to NAT. And the RTR_FW: Meraki MX64 is very limited.
Avatar of huffmana

ASKER

Soulja so it would look something like this?

192.168.168.0/30    192.168.168.0-192.168.168.3         4 hosts   192.168.168.1 ? Default Router  
192.168.168.0/24    192.168.168.0-192.168.168.255  256 hosts  192.168.168.1 ? Default Router  

meraki <-> RTR Gi0/1.30 192.168.168.0/30                                      VLAN30 ACL allow 192.168.168.0/30
                                                                              <-> SW 2960X_Trunk
             <-> RTR Gi0/1.24 192.168.168.0/24                                      VLAN24 ACL ????????????????????

These are overlapping networks and the router would not know how to route them?

are routes in the RTR sequential?  
outside coming in:
route 192.168.168.0/30 192.168.168.2 (SW VLAN10 ip addr 192.168.168.2/30)
route 192.168.168.0/24 192.168.168.4 (SW VLAN24 ip addr 192.168.168.2/24)

The switch will not let me do this?
ASKER CERTIFIED SOLUTION
Avatar of Soulja
Soulja
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Soulja, brilliant :-)  This really looks like it will work.  So the Meraki will NAT both 192.168.168.1/24 and 192.168.170.0/24 to a single outside ip address?  192.168.1.2 is the 2960X side of the Meraki<->2960X interface?

I'll have to get a Meraki off of ebay and test this.  I can use cheap FastEthernet port stuff just for testing, that will keep the price down.  

I'd have to use only static ip addresses because the Meraki is providing DHCP right now (pool 192.168.168.70-192.168.168.140).  I'll have to ask if this is OK.

if I were to stick in a router(s) like a cisco 2600 for a DCHP server where would I put it (them).  As I remember, Cisco routers only provide 1 DHCP server.  So I'd need two routers?  Only the guests need DHCP and they are throttled at the Meraki to 100mps anyway so it can be a cheap router....
Soulja, brilliant :-)  This really looks like it will work.  So the Meraki will NAT both 192.168.168.1/24 and 192.168.170.0/24 to a single outside ip address?  192.168.1.2 is the 2960X side of the Meraki<->2960X interface?


Yes, the Meraki should be able to nat over load for both subnets without issue to one single public address.


if I were to stick in a router(s) like a cisco 2600 for a DCHP server where would I put it (them).  As I remember, Cisco routers only provide 1 DHCP server.  So I'd need two routers?  Only the guests need DHCP and they are throttled at the Meraki to 100mps anyway so it can be a cheap router....

I am pretty positive you can configure the 2960x to distribute DHCP addresses, so no need for a router.
WOW a switch that will run a DHCP server, I never though of that.

Your the best, thank you for your help.  Allan
Yeah, don't quote me on that. It should be able to. If no, I know for sure you can configure dhcp relay on the vlan interfaces and just forward DHCP to your Meraki or whatever is dishing dhcp addresses.
Brilliant solution, Soulja is the best network guy around.