huffmana
asked on
How to get mngt network to a NATing router 2921
How to get mngt network to a NATing router 2921
192.168.168.0/24 Office Network
192.168.170.0/24 Guest Network enclave
10.10.10.0/30 MNGT Network
==============-------SW--- ------==== ========== ====
Switch gi0/7 connected to OUTSIDE interface_gi0/0 (2921 RTR):
!
interface Vlan200
description mngt_vlan
ip address 10.10.10.3 255.255.255.0
end
!
interface GigabitEthernet0/7
description to_RTR_OUTSIDE_gi0/0
switchport access vlan 200
switchport mode access
!
==============-------RTR-- -------=== ========== =====
2921 RTR interface:
!
interface GigabitEthernet0/0
description OUTSIDE_to_SWITCH_gi0/7
ip address 192.168.168.231 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 200
ip address 10.10.10.9 255.255.255.224
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.170.1 255.255.255.0
ip nat inside
!
===========----------NAT-- --------== ========== ==
!
ip nat inside source list GUEST_ACL interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.168.1
!
ip access-list extended GUEST_ACL
permit ip 192.168.170.0 0.0.0.255 host 192.168.168.1
deny ip 192.168.170.0 0.0.0.255 192.168.168.0 0.0.0.255
permit udp 192.168.170.0 0.0.0.255 host 192.168.168.1
deny udp 192.168.170.0 0.0.0.255 host 192.168.168.1
permit ip 192.168.170.0 0.0.0.255 any
deny ip host 0.0.0.0 any
deny ip any any
!
=============-------SOLUTI ONS------- -----===== ========== ===
1) Adding "native" works for MNGT 10.10.10.10 but it breaks the NAT :-(
interface GigabitEthernet0/0.1
encapsulation dot1Q 200 native
ip address 10.10.10.10 255.255.255.0
2) Changing to a trunk breaks both MNGT and NAT :-(
interface GigabitEthernet0/7
description Guest_RTR
switchport trunk allowed vlan 200
switchport mode trunk
3) I put 10.10.10.0/30 on gi0/2. Then connected a second cable from the switch_gi0/6 to rtr_gi0/2. NAT is OK but MNGT still doesn't work. Tried both "mode trunk," "mode access," and a subinterface??????
!!!!!!!!!!!!!!SWITCH !!!!!!!!!!!!!!!!!!!!!!!!!! !!!
interface GigabitEthernet0/6
description to_RTR_gi0/2_10.10.10.10 to int gi0/2
switchport access vlan 200
switchport mode access
!!!!!!!!!!!!!!!!!RTR !!!!!!!!!!!!!!!!!!!!!!!!!! !!!
interface GigabitEthernet0/2 OR interface GigabitEthernet0/2
description TEST MNGT INT OR description TEST MNGT INT
no ip address OR ip address 10.10.10.10 255.255.255.224
duplex auto OR duplex auto
speed auto OR speed auto
!
interface GigabitEthernet0/2.1 OR interface GigabitEthernet0/2.1
encapsulation dot1Q 200 OR encapsulation dot1Q 200
ip address 10.10.10.10 255.255.255.224 OR ip address 10.10.10.10 255.255.255.224
! shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
guestrtr#sh ip route
Gateway of last resort is 192.168.168.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.168.1
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet1/0
L 1.1.1.3/32 is directly connected, GigabitEthernet1/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/27 is directly connected, GigabitEthernet0/2.1
L 10.10.10.10/32 is directly connected, GigabitEthernet0/2.1
192.168.168.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.168.0/24 is directly connected, GigabitEthernet0/0
L 192.168.168.231/32 is directly connected, GigabitEthernet0/0
192.168.170.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.170.0/24 is directly connected, GigabitEthernet0/1
L 192.168.170.1/32 is directly connected, GigabitEthernet0/1
!!!!!!!!!!!!!!SWITCH !!!!!!!!!!!!!!!!!!!!!!!!!! !!!
#sh cdp nei
guestrtr.cortana.com
Gig 0/6 150 R S I CISCO2921 Gig 0/2
#
QUESTIONS:
The router is not responding to arp requests so the switch does not resolve the mac
All I have to do is SSH to the router using 10.10.10.0..... Any ideas?
192.168.168.0/24 Office Network
192.168.170.0/24 Guest Network enclave
10.10.10.0/30 MNGT Network
==============-------SW---
Switch gi0/7 connected to OUTSIDE interface_gi0/0 (2921 RTR):
!
interface Vlan200
description mngt_vlan
ip address 10.10.10.3 255.255.255.0
end
!
interface GigabitEthernet0/7
description to_RTR_OUTSIDE_gi0/0
switchport access vlan 200
switchport mode access
!
==============-------RTR--
2921 RTR interface:
!
interface GigabitEthernet0/0
description OUTSIDE_to_SWITCH_gi0/7
ip address 192.168.168.231 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 200
ip address 10.10.10.9 255.255.255.224
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.170.1 255.255.255.0
ip nat inside
!
===========----------NAT--
!
ip nat inside source list GUEST_ACL interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.168.1
!
ip access-list extended GUEST_ACL
permit ip 192.168.170.0 0.0.0.255 host 192.168.168.1
deny ip 192.168.170.0 0.0.0.255 192.168.168.0 0.0.0.255
permit udp 192.168.170.0 0.0.0.255 host 192.168.168.1
deny udp 192.168.170.0 0.0.0.255 host 192.168.168.1
permit ip 192.168.170.0 0.0.0.255 any
deny ip host 0.0.0.0 any
deny ip any any
!
=============-------SOLUTI
1) Adding "native" works for MNGT 10.10.10.10 but it breaks the NAT :-(
interface GigabitEthernet0/0.1
encapsulation dot1Q 200 native
ip address 10.10.10.10 255.255.255.0
2) Changing to a trunk breaks both MNGT and NAT :-(
interface GigabitEthernet0/7
description Guest_RTR
switchport trunk allowed vlan 200
switchport mode trunk
3) I put 10.10.10.0/30 on gi0/2. Then connected a second cable from the switch_gi0/6 to rtr_gi0/2. NAT is OK but MNGT still doesn't work. Tried both "mode trunk," "mode access," and a subinterface??????
!!!!!!!!!!!!!!SWITCH !!!!!!!!!!!!!!!!!!!!!!!!!!
interface GigabitEthernet0/6
description to_RTR_gi0/2_10.10.10.10 to int gi0/2
switchport access vlan 200
switchport mode access
!!!!!!!!!!!!!!!!!RTR !!!!!!!!!!!!!!!!!!!!!!!!!!
interface GigabitEthernet0/2 OR interface GigabitEthernet0/2
description TEST MNGT INT OR description TEST MNGT INT
no ip address OR ip address 10.10.10.10 255.255.255.224
duplex auto OR duplex auto
speed auto OR speed auto
!
interface GigabitEthernet0/2.1 OR interface GigabitEthernet0/2.1
encapsulation dot1Q 200 OR encapsulation dot1Q 200
ip address 10.10.10.10 255.255.255.224 OR ip address 10.10.10.10 255.255.255.224
! shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
guestrtr#sh ip route
Gateway of last resort is 192.168.168.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.168.1
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet1/0
L 1.1.1.3/32 is directly connected, GigabitEthernet1/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/27 is directly connected, GigabitEthernet0/2.1
L 10.10.10.10/32 is directly connected, GigabitEthernet0/2.1
192.168.168.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.168.0/24 is directly connected, GigabitEthernet0/0
L 192.168.168.231/32 is directly connected, GigabitEthernet0/0
192.168.170.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.170.0/24 is directly connected, GigabitEthernet0/1
L 192.168.170.1/32 is directly connected, GigabitEthernet0/1
!!!!!!!!!!!!!!SWITCH !!!!!!!!!!!!!!!!!!!!!!!!!!
#sh cdp nei
guestrtr.cortana.com
Gig 0/6 150 R S I CISCO2921 Gig 0/2
#
QUESTIONS:
The router is not responding to arp requests so the switch does not resolve the mac
All I have to do is SSH to the router using 10.10.10.0..... Any ideas?
I am confused. Why are you trying to nat?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The NAT is to create a separate enclave for guests to access the Internet through the ISPs router at 192.168.168.1. Don't I need to keep the address on the OUTSIDE interface for the NAT to work? Or will NAT work on any IP originating from the guest network?
Oh I just noticed the ACL :-/ Your solution probably worked, it was just being blocked. It's always an ACL that get me. Let me do some testing without an any any ACL.
ip nat inside source list GUEST_ACL interface GigabitEthernet0/0 overload
!
ip access-list extended GUEST_ACL
permit ip 192.168.170.0 0.0.0.255 host 192.168.168.1
deny ip 192.168.170.0 0.0.0.255 192.168.168.0 0.0.0.255
permit udp 192.168.170.0 0.0.0.255 host 192.168.168.1
deny udp 192.168.170.0 0.0.0.255 host 192.168.168.1
permit ip 192.168.170.0 0.0.0.255 any
deny ip host 0.0.0.0 any
deny ip any any
!
Oh I just noticed the ACL :-/ Your solution probably worked, it was just being blocked. It's always an ACL that get me. Let me do some testing without an any any ACL.
ip nat inside source list GUEST_ACL interface GigabitEthernet0/0 overload
!
ip access-list extended GUEST_ACL
permit ip 192.168.170.0 0.0.0.255 host 192.168.168.1
deny ip 192.168.170.0 0.0.0.255 192.168.168.0 0.0.0.255
permit udp 192.168.170.0 0.0.0.255 host 192.168.168.1
deny udp 192.168.170.0 0.0.0.255 host 192.168.168.1
permit ip 192.168.170.0 0.0.0.255 any
deny ip host 0.0.0.0 any
deny ip any any
!
ASKER
As soon as I change the switched interface to a trunk the NAT fails..... ????
ASKER
Yes I need RTR gi0/0 ip addr 192.168.168.231 because that is the overloaded NAT ip.... it's 192.168.168.0 that is allowed out of the ISP firewall.
ASKER
And there is the ip route 0.0.0.0 0.0.0.0 192.168.168.1
I can change that to i route 192.168.170.0 0.0.0.255 192.168.168.1
But it still doesn't solve the problem of using a "mode access".....
Maybe it just can't be done. Maybe I have to use the overloaded IP 192.168.168.231 to ssh to manage the box...
I can change that to i route 192.168.170.0 0.0.0.255 192.168.168.1
But it still doesn't solve the problem of using a "mode access".....
Maybe it just can't be done. Maybe I have to use the overloaded IP 192.168.168.231 to ssh to manage the box...
Ok this is confusing. What exactly are you trying to accomplish? Where does your management vlan come into play with this scenario?
ASKER
Can't change the ip route either.... NAT access to the ISP is stopped even with "ip route 192.0.0.0 255.0.0.0 192.168.168.1
only 0.0.0.0 0.0.0.0 192.168.168.1 works :-(
only 0.0.0.0 0.0.0.0 192.168.168.1 works :-(
ASKER
Is it weird to manage network devices on a different private ip (10.10.10.0) than the office ip (192.168.1680)? I thought that it would make it more secure...
No, management on a separate subnet is best practice.
I am still trying to understand what you are trying to accomplish. Do you want the managment to not be natted and the other subnet to be natted?
ASKER
Yes. I can use the overloaded address to SSH to the router but I wanted to use a non-netted address.... I'm using the same vlan in the office network for both subnets so I can use any switch interface. Not really a great security measure but it's something.
ASKER
I don't understand why the NAT doesn't with a trunk? Because the packets have to be vlan tagged coming into the switch?
NAT is L3 and the trunk is L2. Provide a quick diagram again of what you are working with.
I don't understand why the NAT doesn't with a trunk? Because the packets have to be vlan tagged coming into the switch?NAT is working with tag, but only VLAN 200 is enabled on trunk (command switchport trunk allowed vlan 200), so all other VLANs are dropped.
router
interface GigabitEthernet0/0
! this one is tagged with default tag - no tag - other side should match this tag (native VLAN)
description OUTSIDE_to_SWITCH_gi0/7
ip address 192.168.168.231 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/0.1
! tag 200
encapsulation dot1Q 200
ip address 10.10.10.9 255.255.255.224
switch
interface GigabitEthernet0/7
description Guest_RTR
switchport mode trunk
switchport trunk allowed vlan all
! or
! switchport trunk allowed vlan 1, 200
!
!
vlan 200
name Management_whatever
vlan X
name Data_whatever
I configured, in previous question, trunk to permit only vlan 200 since you configured switch port as access.
ASKER
I'm pretty sure that the truck is not working because the Ethernet packets never get tagged as vlan 200 (both the office subnet and the MNGT subnet). Everything on the office network is vlan 200 and our ISP said that they put a vlan 200 filter on the firewall.
I would guess that if I mirrored the traffic to the OUTSIDE connection of the router that I'd be able to see the traffic coming in and verify that the trunk is working.
Does a "mode access" make the ip address at the other end of the cable part of the broadcast domain? If I make another "mode access" to the router's 3rd interface and add a MNGT ip address to it, will the switch correctly direct traffic between the two vlan 200 interfaces on the router?
I would guess that if I mirrored the traffic to the OUTSIDE connection of the router that I'd be able to see the traffic coming in and verify that the trunk is working.
Does a "mode access" make the ip address at the other end of the cable part of the broadcast domain? If I make another "mode access" to the router's 3rd interface and add a MNGT ip address to it, will the switch correctly direct traffic between the two vlan 200 interfaces on the router?
ASKER
OK that worked. I have 2 interfaces to the router. One with the NAT overload ip address (192.168.168.231) and one with MNGT address (10.10.10.10). I removed spanning-tree portfast from the switch interfaces, see the following warning. When the interface was a trunk, the switch did not put the routers ip address in the MAC table. But when the switch interface is a "mode access," it will. As long as the routers interfaces are part of the broadcast domain, I don't think that there will be any routing loops....
Doe this make sense? Is there a danger in having two vlan 200 mode access interfaces to a router?
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
Doe this make sense? Is there a danger in having two vlan 200 mode access interfaces to a router?
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
Can you provide a diagram of where you are now. You are making a lot of changes and I have lost track of what you have configured currently.
ASKER
I'm guessing that the router doesn't let an interface have multiple connections to a single vlan. That's why the subinterface did not work until it was set to "encapsulation dot1Q 200 native" - but then it removed vlan 200 from the base interface.
ASKER
Here is the diagram. Haven't thought about getting to the EtherSwitch yet... But I can always console in from the 2921 service-module.
Network_Diagram_1004.pdf
Network_Diagram_1004.pdf
ASKER
Updated diagram. Note that the RTR 2921 is being install adjacent to the patch-panel. So the vlan 200 ports on the EtherSwitch module will be used for POE VoIP to get them off of the C2960X switch. The VoIP is only 100 mbps anyway. Besides the VoIP everything else is 1GE.
Network_Diagram_1004b.pdf
Network_Diagram_1004b.pdf
ASKER
Both Soulja and JustinCase are great network engineers and I appreciate their help.