Link to home
Start Free TrialLog in
Avatar of huffmana
huffmanaFlag for United States of America

asked on

How to get mngt network to a NATing router 2921

How to get mngt network to a NATing router 2921

192.168.168.0/24   Office Network
192.168.170.0/24   Guest Network enclave
10.10.10.0/30      MNGT Network

==============-------SW---------==================
Switch gi0/7 connected to OUTSIDE interface_gi0/0 (2921 RTR):
!
interface Vlan200
 description mngt_vlan
 ip address 10.10.10.3 255.255.255.0
end
!
interface GigabitEthernet0/7
 description to_RTR_OUTSIDE_gi0/0
 switchport access vlan 200
 switchport mode access
!
==============-------RTR---------==================
2921 RTR interface:
  !
interface GigabitEthernet0/0
 description OUTSIDE_to_SWITCH_gi0/7
 ip address 192.168.168.231 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 200
 ip address 10.10.10.9 255.255.255.224
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.170.1 255.255.255.0
 ip nat inside
!
===========----------NAT----------==============
!
ip nat inside source list GUEST_ACL interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.168.1
!
ip access-list extended GUEST_ACL
 permit ip 192.168.170.0 0.0.0.255 host 192.168.168.1
 deny   ip 192.168.170.0 0.0.0.255 192.168.168.0 0.0.0.255
 permit udp 192.168.170.0 0.0.0.255 host 192.168.168.1
 deny   udp 192.168.170.0 0.0.0.255 host 192.168.168.1
 permit ip 192.168.170.0 0.0.0.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any
!
=============-------SOLUTIONS------------==================
1) Adding "native" works for MNGT 10.10.10.10 but it breaks the NAT :-(

interface GigabitEthernet0/0.1
 encapsulation dot1Q 200 native
 ip address 10.10.10.10 255.255.255.0

2) Changing to a trunk breaks both MNGT and NAT :-(

interface GigabitEthernet0/7
 description Guest_RTR
 switchport trunk allowed vlan 200
 switchport mode trunk

3) I put 10.10.10.0/30 on gi0/2.  Then connected a second cable from the switch_gi0/6 to rtr_gi0/2.  NAT is OK but MNGT still doesn't work.  Tried both "mode trunk," "mode access," and a subinterface??????

!!!!!!!!!!!!!!SWITCH !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface GigabitEthernet0/6
 description to_RTR_gi0/2_10.10.10.10 to int gi0/2
 switchport access vlan 200
 switchport mode access

!!!!!!!!!!!!!!!!!RTR !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface GigabitEthernet0/2                    OR                interface GigabitEthernet0/2
 description TEST MNGT INT                     OR                 description TEST MNGT INT
 no ip address                                            OR                 ip address 10.10.10.10 255.255.255.224
 duplex auto                                                OR                 duplex auto
 speed auto                                                 OR                 speed auto
!
interface GigabitEthernet0/2.1                   OR                interface GigabitEthernet0/2.1                        
 encapsulation dot1Q 200                            OR                 encapsulation dot1Q 200
 ip address 10.10.10.10 255.255.255.224    OR                 ip address 10.10.10.10 255.255.255.224    
!                                                                                            shutdown
!  
ip route 0.0.0.0 0.0.0.0 192.168.168.1
guestrtr#sh ip route
Gateway of last resort is 192.168.168.1 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 192.168.168.1
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, GigabitEthernet1/0
L        1.1.1.3/32 is directly connected, GigabitEthernet1/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/27 is directly connected, GigabitEthernet0/2.1
L        10.10.10.10/32 is directly connected, GigabitEthernet0/2.1
      192.168.168.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.168.0/24 is directly connected, GigabitEthernet0/0
L        192.168.168.231/32 is directly connected, GigabitEthernet0/0
      192.168.170.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.170.0/24 is directly connected, GigabitEthernet0/1
L        192.168.170.1/32 is directly connected, GigabitEthernet0/1

!!!!!!!!!!!!!!SWITCH !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#sh cdp nei
guestrtr.cortana.com
                 Gig 0/6           150             R S I  CISCO2921 Gig 0/2
#

QUESTIONS:
The router is not responding to arp requests so the switch does not resolve the mac
All I have to do is SSH to the router using 10.10.10.0.....  Any ideas?
Avatar of Soulja
Soulja
Flag of United States of America image
I am confused. Why are you trying to nat?
ASKER CERTIFIED SOLUTION
Avatar of Soulja
Soulja
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

The NAT is to create a separate enclave for guests to access the Internet through the ISPs router at 192.168.168.1.    Don't I need to keep the address on the OUTSIDE interface for the NAT to work?  Or will NAT work on any IP originating from the guest network?

Oh I just noticed the ACL :-/  Your solution probably worked, it was just being blocked.  It's always an ACL that get me.  Let me do some testing without an any any ACL.  

ip nat inside source list GUEST_ACL interface GigabitEthernet0/0 overload
!
ip access-list extended GUEST_ACL
 permit ip 192.168.170.0 0.0.0.255 host 192.168.168.1
 deny   ip 192.168.170.0 0.0.0.255 192.168.168.0 0.0.0.255
 permit udp 192.168.170.0 0.0.0.255 host 192.168.168.1
 deny   udp 192.168.170.0 0.0.0.255 host 192.168.168.1
 permit ip 192.168.170.0 0.0.0.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any
!
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

As soon as I change the switched interface to a trunk the NAT fails..... ????
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

Yes I need RTR gi0/0 ip addr 192.168.168.231 because that is the overloaded NAT ip.... it's 192.168.168.0 that is allowed out of the ISP firewall.
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

And there is the ip route 0.0.0.0 0.0.0.0 192.168.168.1
I can change that to i route 192.168.170.0 0.0.0.255 192.168.168.1

But it still doesn't solve the problem of using a "mode access".....

Maybe it just can't be done.  Maybe I have to use the overloaded IP 192.168.168.231 to ssh to manage the box...
Avatar of Soulja
Soulja
Flag of United States of America image
Ok this is confusing. What exactly are you trying to accomplish?  Where does your management vlan come into play with this scenario?
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

Can't change the ip route either.... NAT access to the ISP is stopped even with "ip route 192.0.0.0 255.0.0.0 192.168.168.1
only 0.0.0.0 0.0.0.0 192.168.168.1 works :-(
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

Is it weird to manage network devices on a different private ip (10.10.10.0) than the office ip (192.168.1680)?  I thought that it would make it more secure...
Avatar of Soulja
Soulja
Flag of United States of America image
No, management  on a separate subnet is best practice.
Avatar of Soulja
Soulja
Flag of United States of America image
I am still trying to understand what you are trying to accomplish. Do you want the managment to not be natted and the other subnet to be natted?
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

Yes.  I can use the overloaded address to SSH to the router but I wanted to use a non-netted address....  I'm using the same vlan in the office network for both subnets so I can use any switch interface.  Not really a great security measure but it's something.
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

I don't understand why the NAT doesn't  with a trunk?  Because the packets have to be vlan tagged coming into the switch?
Avatar of Soulja
Soulja
Flag of United States of America image
NAT is L3 and the trunk is L2. Provide a quick diagram again of what you are working with.
Avatar of Predrag Jovic
Predrag Jovic
Flag of Poland image
I don't understand why the NAT doesn't  with a trunk?  Because the packets have to be vlan tagged coming into the switch?
NAT is working with tag, but only VLAN 200 is enabled on trunk (command switchport trunk allowed vlan 200), so all other VLANs are dropped.

router
interface GigabitEthernet0/0
 ! this one is tagged with default tag - no tag - other side should match this tag (native VLAN)
 description OUTSIDE_to_SWITCH_gi0/7
 ip address 192.168.168.231 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/0.1
 ! tag 200
 encapsulation dot1Q 200
 ip address 10.10.10.9 255.255.255.224

Open in new window


switch
interface GigabitEthernet0/7
 description Guest_RTR
switchport mode trunk
switchport trunk allowed vlan all
! or
!  switchport trunk allowed vlan 1, 200
! 
!
vlan 200
 name Management_whatever
vlan X
 name Data_whatever

Open in new window

I configured, in previous question, trunk to permit only vlan 200 since you configured switch port as access.
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

I'm pretty sure that the truck is not working because the Ethernet packets never get tagged as vlan 200 (both the office subnet and the MNGT subnet).  Everything on the office network is vlan 200 and our ISP said that they put a vlan 200 filter on the firewall.  

I would guess that if I mirrored the traffic to the OUTSIDE connection of the router that I'd be able to see the traffic coming in and verify that the trunk is working.

Does a "mode access" make the ip address at the other end of the cable part of the broadcast domain?  If I make another "mode access" to the router's 3rd interface and add a MNGT ip address to it, will the switch correctly direct traffic between the two vlan 200 interfaces on the router?
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

OK that worked.  I have 2 interfaces to the router.  One with the NAT overload ip address (192.168.168.231) and one with MNGT address (10.10.10.10).  I removed spanning-tree portfast from the switch interfaces, see the following warning.  When the interface was a trunk, the switch did not put the routers ip address in the MAC table.  But when the switch interface is a "mode access," it will.  As long as the routers interfaces are part of the broadcast domain, I don't think that there will be any routing loops....

Doe this make sense?  Is there a danger in having two vlan 200 mode access interfaces to a router?


%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION
Avatar of Soulja
Soulja
Flag of United States of America image
Can you provide a diagram of where you are now. You are making a lot of changes and I have lost track of what you have configured currently.
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

I'm guessing that the router doesn't let an interface have multiple connections to a single vlan.  That's why the subinterface did not work until it was set to "encapsulation dot1Q 200 native" - but then it removed vlan 200 from the base interface.
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

Here is the diagram.  Haven't thought about getting to the EtherSwitch yet... But I can always console in from the 2921 service-module.
Network_Diagram_1004.pdf
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

Updated diagram.  Note that the RTR 2921 is being install adjacent to the patch-panel.  So the vlan 200 ports on the EtherSwitch module will be used for POE VoIP to get them off of the C2960X switch.  The VoIP is only 100 mbps anyway.  Besides the VoIP everything else is 1GE.
Network_Diagram_1004b.pdf
Avatar of huffmana
huffmana
Flag of United States of America image

ASKER

Both Soulja and JustinCase are great network engineers and I appreciate their help.