2921 router subinterface to switch for management network

Can't get my management network connected to an enclave built with a 2921 router subinterface.  192.168.168.0/24 is the operational network.  10.10.10.0/27 is management network.

==============-------SW---------==================
Switch gi0/7 connected to OUTSIDE interface (2900 RTR):
!
interface Vlan200
 description mngt_vlan
 ip address 10.10.10.3 255.255.255.0
end
!
interface GigabitEthernet0/7
 description Guest_RTR
 switchport access vlan 200
 switchport mode access
 storm-control broadcast level 20.00
 storm-control action trap
 no cdp enable
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
!
==============-------RTR---------==================
2921 RTR interface:
  !
interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.231 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 200
 ip address 10.10.10.9 255.255.255.224
!

===========----------NAT----------==============
!
ip nat inside source list GUEST_ACL interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.168.1
!
ip access-list extended GUEST_ACL
 permit ip 192.168.170.0 0.0.0.255 host 192.168.168.1
 deny   ip 192.168.170.0 0.0.0.255 192.168.168.0 0.0.0.255
 permit udp 192.168.170.0 0.0.0.255 host 192.168.168.1
 deny   udp 192.168.170.0 0.0.0.255 host 192.168.168.1
 permit ip 192.168.170.0 0.0.0.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any
!

=============-------------------==================
What am I doing wrong?  Thanks
huffmanaSystem Admin and Network EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
Currently router is configured to tag traffic with tag 200 and switch is configured to send and receive untagged traffic on port.
Configure ONE of these:
interface GigabitEthernet0/7
 description Guest_RTR
 switchport trunk allowed vlan 200
 switchport mode trunk

Open in new window

OR
interface GigabitEthernet0/0.1
 encapsulation dot1Q 200 native
 ip address 10.10.10.9 255.255.255.0

Open in new window

Also, you can remove subinterface from router and it will have the same end result (if you don't need/plan multiple tags/vlans on router interface).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
huffmanaSystem Admin and Network EngineerAuthor Commented:
JustInCase nailed it.  And a terrific explanation too, I actually understand now.  I opted for the "native" approach.  Thank you
0
JustInCaseCommented:
You're welcome.
0
huffmanaSystem Admin and Network EngineerAuthor Commented:
Hi JustInCase, I don't know if I can get a message to you after selecting a solution, but here goes.

When I try either solution above, the 10.10.10.10 (used to be 10.10.10.9) works but the NAT stops.  I've tried both the trunk and the "encapsulation dot1Q 200 native."  It seems like changes to the subinterface affects the interface?  

 I put 10.10.10.0/30 on gi0/2 and left the NAT on gi0/0.  I connected gi0/2 to another cable to a new trunk on the switch.  Then tried setting the ip 10.10.10.10 on a subinterface and on also tried putting the ip address directly on the primary interface. I still can't get to gi0/2 from the directly connected switch?   I only want to get to the router because there is an EtherSwitch-48 in it.  

local1#sh run int vlan 200
interface Vlan200
 description mngt_vlan
 ip address 10.10.10.3 255.255.255.0

!
interface GigabitEthernet0/6
 description TEST TO GUEST TRUNK TO 10.10.10.10 to int gi0/2
 switchport access vlan 200
 switchport mode access
!
interface GigabitEthernet0/7
 description Guest_RTR for 192.168.170.0 to int gi0/0
 switchport access vlan 200
 switchport mode access
!
local1#

guestrtr#

interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.231 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 200
 ip address 10.10.10.10 255.255.255.224
 shutdown
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.170.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description TEST MNGT INT
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/2.1
 encapsulation dot1Q 200
 ip address 10.10.10.10 255.255.255.224
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
guestrtr#sh ip route
Gateway of last resort is 192.168.168.1 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 192.168.168.1
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, GigabitEthernet1/0
L        1.1.1.3/32 is directly connected, GigabitEthernet1/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/27 is directly connected, GigabitEthernet0/2.1
L        10.10.10.10/32 is directly connected, GigabitEthernet0/2.1
      192.168.168.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.168.0/24 is directly connected, GigabitEthernet0/0
L        192.168.168.231/32 is directly connected, GigabitEthernet0/0
      192.168.170.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.170.0/24 is directly connected, GigabitEthernet0/1
L        192.168.170.1/32 is directly connected, GigabitEthernet0/1
guestrtr#
guestrtr#
0
JustInCaseCommented:
I am not sure what you are trying to achieve. If you want to nat management traffic on subinterface than ip nat inside need to be configured on subinterface. Configuring subinterface tag as native can influence interface, since, untagged traffic was previously matching interface itself, now is matching subinterface. But again, I am not sure what you are trying to achieve to be able to offer solution.
If you are trying to reach hosts from nat outside interface, you will need to configure "port forwarding" - static nat port redirection.

interface GigabitEthernet0/2.1
 encapsulation dot1Q 200
 ip address 10.10.10.10 255.255.255.224
 ip nat inside
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.