Cisco internal VLAN setup with access to public network

ciscovlan

I have a Cisco 4948 switch that I'm dividing in half (half public, half private VLAN for NAS access). On the public side, Gi1/0 is the up-stream connection to the router, and G1/0-23 are configured in VLAN1 and designed for public access. Public IPs are xx.47.90.0/24, with a gateway of xx.47.90.1 (which lives on the router … and is assigned to a separate VLAN on the router)

Ports G1/24-48 are designed VLAN2 and setup for private access. The private network is defined as 10.1.40.0/24. I've added 10.1.40.1 to the VLAN2 interface, and am using it as the default gateway for servers only on the private network (as well as the management IP for the switch).

Everything works, as long as servers have two NICs, they can reach both networks. My issue is servers that are ONLY on the private the private VLAN can't reach the public network. So my question(s)

1) Should I be using 10.1.40.1 as the gateway for servers only on the private network? Or should I be using the public gateway (xx.47.90.1) even though the only IP assigned to the server is in the private range?
2) Is there a configuration needed on VLAN2 (private) to allow it to access the public network? All the documentation I've seen was written for routers where the public IP lived on the device. Basically what I want to do is route all traffic to the public gateway xx.47.90.1 except 10.1.40.0/24

Best Answer

Have you assigned an ip address to both the VLAN1 and VLAN2 interfaces on the switch? Have you enabled ip routing on the switch? If not, you need to.

http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

If your goal is to allow hosts in VLAN1 and VLAN2 to communicate with each other and only for hosts in VLAN 1 to have internet access then you should only need to configure an appropriate ip address to the VLAN1 and VLAN2 interfaces and to enable ip routing on the switch.

If you also need hosts in VLAN2 to have internet access then there are a few more configurations needed on the switch and the router.

Related Solutions

Cisco – Vlans and subinterfaces

Pardon, in your cut and pasted configs, you appear to be describing Gi0/48 - your uplink to your router, but in your question refer specifically to hosts connected to Gi0/18. I'm going to assume you're describing two different ports here. Further, I'm assuming from details in your config statements and question, that vlan 3 is being used for the 192.168.0.80/28 traffic. I'm going to assume that the vlan has already been declared on your 3560. (Check sh vlan)

First of all, your port Gi0/18 should be configured for access mode on vlan 3. Likely, something like this:

interface GigabitEthernet 0/18
switchport access vlan 3
switchport mode access

As far as for other recommendations. Will all/most of your traffic from your IP subnets be to and from the internet. Basically, If you have enough traffic between subnets, it may suit you to have the 3560 act as your internal router and then dedicate your 3825 to be your border router. The problem is that if your router is baring the entire load for all routing, then a packet from one subnet will arrive at your switch, then be forwarded via the dot1q to your trunk on some vlan X, the router then makes a routing decision and sends the same packet back along the dot1q trunk on some new vlan Y now destined for the destination machine. Btw, I'm simply describing the situation of internal traffic to your customers/organization that crosses your different subnets.

Instead, you can configure the 3560 at the, assuming normal conventions, first address of each vlan/subnet. E.g. 192.168.0.81 and enable ip routing. The next step is you create a new subnet specifically for between the router and switch. For convenience, i'd use something completely different, for example, 192.0.2.0/24 is reserved for documentation examples. Configure the router at 192.0.2.1 and the switch at 192.0.2.2. Have the switch use 192.0.2.1 as the default route. Configure the router to reach 192.168.0.0/16 via the switch at 192.0.2.2. If your network is small enough, static routes should be sufficient. No need for OSPF or anything.

Of course, this would be a rather dramatic change; but it has potential for being a large improvement. It all depends on the nature of your traffic.

For reference, cisco lists the Cisco Catalyst 3560G-48TS and Catalyst 3560G-48PS having a 38.7 Mpps forwarding rate and the Cisco 3825 as having 0.35Mpps forwarding rate. Mpps, just in case you don't know, is millions of packets per second.

It's not bandwidth, but it's how many 64 byte packet routing decisions the device can make a second. The length of the packet doesn't affect how long it takes to making a routing decision. So the peak performance in bits/bytes will be somewhere in a range. In terms of bandwidth, it means that 350kpps is 180Mbps w/ 64byte packets and 4.2Gbps w/ 1500 byte packets. Mind you, that's in bits per second, so think of it as 18 Megabytes or 420 Megabytes per second in regular file-size terms.

In theory, this means that your 3560G can route somewhere between 19.8Gbps and 464Gbps or rougly 2GBps and 45GBps.

Actually, looking at those numbers, you most definitely should consider the plan I described above. Dedicate your 3825 to handling, presumably, NAT'd external traffic and let your 3560 handle the rest.

I'm sorry this is so long; I'm bored at work waiting for tapes to finish. Cheers.

Is A Managed Switch With VLAN Support Required

Putting your public and private networks on 1 VLAN is a security no-no. It will probably work, but it's worth the small investment for a semi-managed switch.

Best Answer

Related Solutions

Cisco – Vlans and subinterfaces

Is A Managed Switch With VLAN Support Required

Related Topic