2 vlans and one internet connection

Cisco Network Question:  2 vlans and one Internet connection

I need to set up a guest network for access to the Internet-only.  The network configuration is:
-  COX Internet
-  RTR_FW: Meraki MX64
-  Core_Switch: WS-C2960X-48FPD_L:  LAN-base
-  Distribution_Switches: WS-C3560CG-8PC-S: IP-base

We presently have one external IPv4 address and use 192.168.168.0/24 internally for operations.

The 2960X is a layer 3 capable switch.

Is there a way to route another network VLAN, something like 172.16.168.0/24, to the Meraki RTR Internet connection.  The Meraki is presently port mapping the external address to the 192.168.168.0/24 network with the Default router of 192.168.168.1.  I used a trunk to the Meraki RTR-FW from the 2960X and it works....

Or do I need to add a RTR and use two virtual interfaces?
huffmanaSystem Admin and Network EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
I would change the connection between the Meraki and 2960 to a routed connected.  Put a /30 between them and change the port on the 2960 connected to the Meraki to a routed port.

I would then add the additional guest vlan  and VLAN interface on the 2960. Add an ACL to the Guest VLAN interface restricting access to and from the operations vlan, but permitting to any for the purpose of internet access.

Then add a default route on the 2960 with a next hop pointing to the Meraki ip of the new /30 subnet. On the Meraki, add two static routes for the operations vlan and guest vlan with next hops to the 2960's ip of that new /30.
0
Andy BartkiewiczNetwork AnalystCommented:
I don;t think so, I don't believe the 2960x has the ability to NAT. And the RTR_FW: Meraki MX64 is very limited.
0
huffmanaSystem Admin and Network EngineerAuthor Commented:
Soulja so it would look something like this?

192.168.168.0/30    192.168.168.0-192.168.168.3         4 hosts   192.168.168.1 ? Default Router  
192.168.168.0/24    192.168.168.0-192.168.168.255  256 hosts  192.168.168.1 ? Default Router  

meraki <-> RTR Gi0/1.30 192.168.168.0/30                                      VLAN30 ACL allow 192.168.168.0/30
                                                                              <-> SW 2960X_Trunk
             <-> RTR Gi0/1.24 192.168.168.0/24                                      VLAN24 ACL ????????????????????

These are overlapping networks and the router would not know how to route them?

are routes in the RTR sequential?  
outside coming in:
route 192.168.168.0/30 192.168.168.2 (SW VLAN10 ip addr 192.168.168.2/30)
route 192.168.168.0/24 192.168.168.4 (SW VLAN24 ip addr 192.168.168.2/24)

The switch will not let me do this?
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Soulja53 6F 75 6C 6A 61 Commented:
You're /30 will need to be a entire separte subnet. Not part of the /24.  For example 192.168.1.0/30, but it looks like the 2960x doesn't support routed ports. So what you can do instead is this:

Create a new vlan interface for the /30 between the Meraki and 2960.  For example  interface vlan 99. Then change the port connecting to the Meraki to an access port on vlan 99.

On the meraki get rid of the subinterfaces.  Just use the main interface addressed on the /30.


Meraki  GI0/1 192.168.1.1/30 --->> 2960x access port on vlan 99                 ----->> OPs vlan Interface 192.168.168.1/24
                                                            (create VLAN interface for vlan99)          ---->>> Guest VLAN interface 192.168.170.0/24
                                                                               192.168.1.2/30
On 2960x .    ip route 0.0.0.0 0.0.0.0 192.168.1.1

On Meraki .   ip route 192.168.168.0 255.255.255.0 192.168.1.2
                        ip route 192.168.170.0 255.255.255.0 192.168.1.2

                                                                                                               
The addressing is just examples to give you and idea of what I am talking about.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
huffmanaSystem Admin and Network EngineerAuthor Commented:
Soulja, brilliant :-)  This really looks like it will work.  So the Meraki will NAT both 192.168.168.1/24 and 192.168.170.0/24 to a single outside ip address?  192.168.1.2 is the 2960X side of the Meraki<->2960X interface?

I'll have to get a Meraki off of ebay and test this.  I can use cheap FastEthernet port stuff just for testing, that will keep the price down.  

I'd have to use only static ip addresses because the Meraki is providing DHCP right now (pool 192.168.168.70-192.168.168.140).  I'll have to ask if this is OK.

if I were to stick in a router(s) like a cisco 2600 for a DCHP server where would I put it (them).  As I remember, Cisco routers only provide 1 DHCP server.  So I'd need two routers?  Only the guests need DHCP and they are throttled at the Meraki to 100mps anyway so it can be a cheap router....
0
Soulja53 6F 75 6C 6A 61 Commented:
Soulja, brilliant :-)  This really looks like it will work.  So the Meraki will NAT both 192.168.168.1/24 and 192.168.170.0/24 to a single outside ip address?  192.168.1.2 is the 2960X side of the Meraki<->2960X interface?


Yes, the Meraki should be able to nat over load for both subnets without issue to one single public address.


if I were to stick in a router(s) like a cisco 2600 for a DCHP server where would I put it (them).  As I remember, Cisco routers only provide 1 DHCP server.  So I'd need two routers?  Only the guests need DHCP and they are throttled at the Meraki to 100mps anyway so it can be a cheap router....

I am pretty positive you can configure the 2960x to distribute DHCP addresses, so no need for a router.
0
huffmanaSystem Admin and Network EngineerAuthor Commented:
WOW a switch that will run a DHCP server, I never though of that.

Your the best, thank you for your help.  Allan
0
Soulja53 6F 75 6C 6A 61 Commented:
Yeah, don't quote me on that. It should be able to. If no, I know for sure you can configure dhcp relay on the vlan interfaces and just forward DHCP to your Meraki or whatever is dishing dhcp addresses.
0
huffmanaSystem Admin and Network EngineerAuthor Commented:
Brilliant solution, Soulja is the best network guy around.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.