Best practice wise - should I let the router or the ASA handle NAT
(Overloading)?
In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).
In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.
I can ping the 172.16.2.2
interface but not 172.16.2.1
from a pc
connected to one of the layer 2 switches (proves intervlan routing is
working -- i have a 172.20.100.8
address on the PC). Why can't I ping
172.16.2.1
from a PC but I can from the Layer 3 Switch?
The ASA 172.16.2.2
is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27
. The echo-reply is actually being forwarded to the Router 172.16.1.1
via the default route.
And most of all -- Why can't I get out to the Internet from the Layer 3 switch?
Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.
Your ASA configuration:
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?
You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.
ASA static routing example:
route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2
Further reading: ASA static routing
Your Cisco Router's configuration:
ip route 0.0.0.0 0.0.0.0 200.200.200.200
Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200
?
Router static routing example:
ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10
Further reading: ISR static routing
I cannot get an ip address right now from the DHCP server (Windows).
Any insight into why?
Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.
From what I can gather from your topology and configuration, the subnets 172.19.3.0/24
, 172.19.12.0/28
and 172.20.100.0/27
should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.
You can remove the ip helper-address
syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.
interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27
It looks like you're trying to configure a MUX-UNI with:
- A Layer3 interface on Vlan 556
- A Vlan-mode PW on Vlan 920
The WS-X6516A is considered a Catalyst 6500 / Cisco 7600 LAN Card; LAN cards have some feature restrictions... one of the restrictions is how you configure a Layer3 interface on a LAN card with dot1q encapsulation.
When you're building a MUX-UNI combination of Pseudo-Wire services, and Layer3 services on a dot1q-trunked Catalyst 6500 LAN card, you must do the following:
- Configure the Layer3 services on an SVI. Direct Layer3 subinterface configuration on the LAN switchports is not supported on Sup720
- Configure the Pseudo-wire as a subinterface of the LAN card (omit the PW vlan from the dot1q trunk though.
I'll use your example...
interface GigabitEthernet8/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 556
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet8/1.123
! Configure PW-ID 1026 on Vlan 920, note that vlan-920 is *not* explicitly trunked on Gi8/1
encapsulation dot1q 920
xconnect 172.16.25.25 1026 encapsulation mpls
mtu 1500
!
interface Vlan556
no shutdown
! insert optional VRF configuration here
ip address 192.0.2.254
If you use this configuration as a template, MUX-UNI will work for you.
What was wrong with your configuration
- You tried to use a Layer3 IP subinterface directly on the switchport, which is not supported on 6500 / 7600-series LAN cards and Sup720
- The original MUX-UNI configuration on Gi8/3 was not made a switchport first.
Catalyst6500 LAN Card IP subinterfaces
Because Catalyst6500 Vlans have a global scope throughout the chassis, LAN cards on Sup720 support a routed dot1q subinterface, as long as you have not used that same vlan elsewhere... example:
! ensure vlan 100 is unused, so we can use it on a Gi4/1 subinterface
no vlan 100
interface GigabitEthernet4/1
no switchport
interface GigabitEthernet4/1.100
encapsulation dot1q 100
ip address 192.0.2.1 255.255.255.0
Best Answer
IP is a layer-3 protocol, but you have a layer-2 switch. When a port is configured as a switch (layer-2) port, you can't assign an IP address to it. It doesn't make sense to assign a layer-3 address to a layer-2 port. IP is a layer-3 protocol, so you assign it to layer-3 ports.
The layer-2 switch can have a layer-3 SVI port to which you can assign an IP address, but your switch isn't a router or layer-3 switch, so an IP address on your SVI is only for switch management. If you want to have multiple VLANs and route between them, you need a router or a layer-3 switch.
If you had a layer-3 switch, you would need to make sure that you have IP routing enabled. You could then assign IP addresses to the ports, but you would first need to use the
no switchport
command.