Integrating Router into LAN – Best Practices

nat;routerswitchvlan

network

I had a consultant setup a basic network for a small office but I have some questions regarding the best way to implement this. We are using a Cisco 1921 router connected to a Catalyst 3750 as the main switch. Two more Catalyst 3750's branch off from the main switch for different suites. VLAN's are trunked through to the main 3750 where the gateways for each vlan/subnet reside (192.168.x.1). The router is performing NAT with the public IP on the outside interface connected to the ISP modem and a private IP on the inside interface facing the switched network.

The things I am wondering about:

Should the gateways of each subnet/vlan reside on the main L3 switch?
Do I need to trunk any VLAN's to the router?
Is there any double NAT happening?…cable modem is in bridge mode
Should I configure default gateways on my switches?
Any other suggestions such as changing the addressing scheme?..router not being .1 bugs me

Some technician from the VoIP company was claiming that there is double NAT since he saw two private ip addresses in a trace route. To my knowledge that is not true and the there are two hops because the packet hits the gateway on the L3 switch and then hits the inside router interface before going out to the internet. Please correct me if I am mistaken.

traceroute to 39.419.1.25 (74.115.98.25), 64 hops max, 52 byte packets
 1  192.168.4.1 (192.168.4.1)  0.739 ms  3.157 ms  0.516 ms  <---Gateway on L3 switch
 2  192.168.1.2 (192.168.1.2)  0.573 ms  0.488 ms  0.466 ms  <---Router Inside Interface
 3  * * *                                                    <---Cable Modem???
 4  ip43-52-53-43.blah.blah.blah.net (43.52.53.43)  9.125 ms  14.633 ms  9.812 ms
 5  * * *
 6  blah.blah.blah.net (45.2.4.90)  30.010 ms  19.896 ms  29.781 ms

Router Configuration

Current configuration : 5879 bytes
!
! Last configuration change at 00:33:56 UTC Sun Mar 1 2015 by noc
! NVRAM config last updated at 20:45:24 UTC Mon Mar 2 2015 by noc
! NVRAM config last updated at 20:45:24 UTC Mon Mar 2 2015 by noc
version 15.2
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname ROUTER-1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 64000
logging console emergencies
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
ip tcp mss 1492
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN
 ip address x.x.x.x 255.255.255.240
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 7 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 184.191.183.49
ip route 192.168.2.0 255.255.255.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
ip route 192.168.4.0 255.255.255.0 192.168.1.1
!
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 permit 192.168.2.0 0.0.0.255
access-list 7 permit 192.168.3.0 0.0.0.255
access-list 7 permit 192.168.4.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 remark Standardized inbound anti-spoofing list
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any
access-list 101 deny   ip 224.0.0.0 7.255.255.255 any
access-list 101 deny   ip 14.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny   ip 198.18.0.0 0.0.255.255 any log
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip 50.202.143.128 0.0.0.31 any
access-list 101 deny   udp any any eq snmp log
access-list 101 deny   udp any any eq snmptrap log
access-list 101 deny   tcp any any range 135 139 log
access-list 101 deny   udp any any range 135 netbios-ss log
access-list 101 deny   tcp any any eq 6666 log
access-list 101 deny   tcp any any eq 6667 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   udp any any eq 445 log
access-list 101 permit ip any any
access-list 101 deny   ip any any log
!
!
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
ntp server 128.138.141.172
ntp server 216.228.192.69
!
end

Distribution Switch

Current configuration : 9859 bytes
!
! Last configuration change at 20:27:24 UTC Mon Mar 2 2015
! NVRAM config last updated at 20:45:03 UTC Mon Mar 2 2015
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SWITCH-1
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c3750g-48ps
system mtu routing 1500
ip routing
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.2.1 192.168.2.100
ip dhcp excluded-address 192.168.3.1 192.168.3.100
ip dhcp excluded-address 192.168.4.1 192.168.4.100
!
ip dhcp pool VLAN10
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 8.8.8.8 
!
ip dhcp pool VLAN20
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server 8.8.8.8
!         
ip dhcp pool VLAN30
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1 
   dns-server 8.8.8.8
!
ip dhcp pool VLAN40
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1 
   dns-server 8.8.8.8
!    
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface GigabitEthernet1/0/1
 description ROUTER
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/2
 description TRUNK-SWITCH-2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 911
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 description TRUNK-SWITCH-3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 911
 switchport mode trunk
!
interface GigabitEthernet1/0/4
 description WLC
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
! 
interface GigabitEthernet1/0/5
 description AP-401
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
!
interface GigabitEthernet1/0/6
 description AP-402
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
!
interface GigabitEthernet1/0/7
 description SERVER-1
 switchport access vlan 40
 switchport mode access
!
interface GigabitEthernet1/0/8
 description SERVER-2
 switchport access vlan 40
 switchport mode access
!
interface GigabitEthernet1/0/9
 description ADT-DVR
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/10
 description ADT
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/11
 description Printer-402
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/12
 description Printer-401
 switchport access vlan 30
 switchport mode access
 duplex full
!
interface GigabitEthernet1/0/13
 switchport access vlan 30
 switchport mode access
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan20
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan30
 ip address 192.168.3.1 255.255.255.0
 ip access-group 101 in
!
interface Vlan40
 ip address 192.168.4.1 255.255.255.0
!
!         
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
ip http secure-server
!
access-list 101 permit udp any eq bootpc any eq bootps
access-list 101 deny   ip any 192.168.1.0 0.0.0.255
access-list 101 deny   ip any 192.168.2.0 0.0.0.255
access-list 101 deny   ip any 192.168.4.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
ntp clock-period 36029145
ntp server 128.138.141.172
ntp server 216.228.192.69
end

Best Answer

1.) Yes, the gateways should reside on the L3 switch. If you were running Routing on a Stick, you would instead house their gateways on the Router. Your current configuration is inline with what is called a "collapsed core" design. Where the L3 core performs both switching and VLAN routing and acts as a distribution layer.

2.) No, your L3 routing should be occuring on your 3750.

3.)If the cable modem is in bridge mode, there should be no double NAT. Bridge mode should disable all the routing features and leave the cable modem as just a cable modem.

4.) I would, just so you can hit devices on the seperate VLANs.

5.) The address of the inside interface of the Cable modem may be .1. Leave it as it is. Like Ron said, it doesn't need to be changed.

Can we see the NAT configuration of your router? It will be helpful in identifying your NAT issue.

****EDIT****

This link may be helpful: Configuring NAT I failed to take note of the NAT statement you had originally. This brings into question the claims made by your ISP. You're both able to hit the internet and your being PAT'd with the correct commands. Are you experiencing any problems?

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Vlan – Setting up PIM Sparse mode

My questions are:

Should we setup on our core network switch OSPF with a router ID of 1.1.1.1 and then not set any OSPF settings on any other switch?

OSPF is not necessary for this implementation.

Would PIM Sparse Mode only need to be enabled on the core switches or on all of the switches in the network?

Pim-SM needs to be enabled on each L3 interface on which you want to allow the multicast traffic. For example, if you wish to contain the traffic to Vlans 15 and 14, you would have to do the following on your core:

configure
ip multicast
ip igmp
ip pim sparse
interface vlan 14
ip igmp
ip pim
interface vlan 15
ip igmp
ip pim
exit

If you want the traffic to traverse all Vlans, then you will need the appropriate interface configuration under each Vlan. Your L2 switches will need IGMP snooping turned on (ideally on all interfaces via the global configuration).

configure
ip igmp snooping 
bridge multicast filtering

For a very basic multicast setup like this, these should be the only features that you would need.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Vlan – Setting up PIM Sparse mode

Related Topic