Connecting a VLAN'ed network to a dual homed host

Answered Question
Mar 12th, 2009
User Badges:

We have successively implemented a routed VLAN setup at our site with one problem. We need to be able to connect to a couple of hosts on a seperate network that is not in our control. These hosts are dual homed with the second NIC on our VLAN 2 Server network. The problem is when we try to connect to these hosts from the other VLAN's. I believe the traffic is getting to the hosts from the other vlans, but is being dropped or routed to the seperate network gateway. How would you recommend connecting to these hosts?


We have these VLAN's setup:

VLAN 1 shutdown

172.17.2.0/24 = VLAN 2 Servers

172.17.3.0/24 = VLAN 3 Workstations

172.17.10.0/24 = VLAN 10 Management


the other network is 192.168.0.0 /16 that is out of our control.


Dual host #1

NIC1 192.168.2.? GW 192.168.2.1

NIC2 172.17.2.5 GW 172.17.2.254


Dual host #2

NIC1 192.168.2.? GW 192.168.2.1

NIC2 172.17.2.6 GW 172.17.2.254

Correct Answer by Jon Marshall about 8 years 2 weeks ago

Jim


Either


1) Add routes to the hosts for your vlan subnets but this might not be possible as they are out of your control


OR


2) Use NAT ie.


access-list 101 permit ip 172.17.3.0 0.0.0.255 host 172.17.2.5

access-list 101 permit ip 172.17.3.0 0.0.0.255 host 172.17.2.6


on vlan interfaces


int vlan 3

ip nat inside


int vlan 10

ip nat inside


int vlan 2

ip nat outside


ip nat inside source list 101 interface vlan 2 overload


then any traffic going to the hosts will seem to be coming from the vlan 2 IP address and so the hosts should use their vlan 2 gateway rather than the 192.168.2.1 gateway.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 03/12/2009 - 17:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


Either


1) Add routes to the hosts for your vlan subnets but this might not be possible as they are out of your control


OR


2) Use NAT ie.


access-list 101 permit ip 172.17.3.0 0.0.0.255 host 172.17.2.5

access-list 101 permit ip 172.17.3.0 0.0.0.255 host 172.17.2.6


on vlan interfaces


int vlan 3

ip nat inside


int vlan 10

ip nat inside


int vlan 2

ip nat outside


ip nat inside source list 101 interface vlan 2 overload


then any traffic going to the hosts will seem to be coming from the vlan 2 IP address and so the hosts should use their vlan 2 gateway rather than the 192.168.2.1 gateway.


Jon

jim.billings Thu, 03/12/2009 - 17:53
User Badges:

I will give it a try. Can I add these to the existing ACL's?


Here is what I have on the Main switch:


snip

========================================

interface Vlan1

no ip address

shutdown

!

interface Vlan2

description SERVERS

ip address 172.17.2.254 255.255.255.0

!

interface Vlan3

description WG3

ip address 172.17.3.254 255.255.255.0

ip access-group 110 in

ip helper-address 172.17.2.1

=======================================

snip

=======================================

interface Vlan10

description MANAGEMENT

ip address 172.17.10.254 255.255.255.0

!

=======================================

snip

=======================================

interface Vlan100

description INTERNET

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.100.1

ip http server

!

access-list 110 permit udp any eq bootpc any

access-list 110 permit ip 172.17.3.0 0.0.0.255 172.17.2.0 0.0.0.255

access-list 110 permit ip 172.17.3.0 0.0.0.255 172.17.10.0 0.0.0.255

access-list 110 permit ip 172.17.3.0 0.0.0.255 172.17.100.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.4.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.5.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.6.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.7.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.8.0 0.0.0.255

access-list 110 deny ip 172.17.3.0 0.0.0.255 172.17.12.0 0.0.0.255

access-list 110 permit ip 172.17.3.0 0.0.0.255 any

access-list 111 permit udp any eq bootpc any

access-list 111 permit ip 172.17.4.0 0.0.0.255 172.17.2.0 0.0.0.255

access-list 111 permit ip 172.17.4.0 0.0.0.255 172.17.10.0 0.0.0.255

access-list 111 permit ip 172.17.4.0 0.0.0.255 172.17.100.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.3.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.5.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.6.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.7.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.8.0 0.0.0.255

access-list 111 deny ip 172.17.4.0 0.0.0.255 172.17.12.0 0.0.0.255

access-list 111 permit ip 172.17.4.0 0.0.0.255 any

=======================================

snip

=======================================


jim.billings Thu, 03/12/2009 - 18:54
User Badges:

int vlan 3

ip nat inside


this command is not available on our 3560G switch


Jon Marshall Fri, 03/13/2009 - 10:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


Apologies. For some reason i assumed we were talking about a 6500 switch, my fault.


Unfortunately the only switch that supports NAT is the 6500 so you will have to go with option 1.


Jon

jim.billings Fri, 03/13/2009 - 11:56
User Badges:

We are working to get them to add the routes to the server on the other network. Thanks, again.


Jim

armingeorgeo Mon, 03/16/2009 - 11:06
User Badges:

I have in LAN router cisco and router no cisco,

the problem that i need to shared connect to internet (Backup)

thanks

Actions

This Discussion