Cisco 3350 Switch - 30 VLANs with Public IP's ?

Unanswered Question
Nov 29th, 2009

Hi ,

I have to configure Cisco 3550 switch L3  that will allow 30 offices all within the same big building to share internet. Each office will have around 5-10 Pc's/Servers. Severs'( Email/Web) need to accessiable from internet. Pc's from one office should not be able to talk to the Pc's in other offices. Each office will have there own router/switch ( for NATing ) which will be connected to Cisco 3550 via Ethernet cable.

10MB Internet will be terminiated on Cisco 3350's fastethernet interface and from there it will be distributed to each office. I have more than 30 public IP address available to support this desing.

I was thinking to create 30 VLANS's ( one for each office ) and assign a public IP to each vlan interface but form that point onward, I can't think how to configure of the network ?

Please see the attached diagram to undestand what I am trying to achieve.

All I need is to provide a ethernet socket to each office with internet connection( one public IP is needed to each office)  where each office will plug there own router/switch for Internet connectivity and LAN.

Can you think of the easites way to configure this network ?

Many thanks for  your advise.

Regards,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
s.nasheet Sun, 11/29/2009 - 11:42

Hi ,

Please see the attached daigram ( not very well laid)

Regards

s.nasheet Sun, 11/29/2009 - 11:48

Jon ,

Sorry Can't  attach power point diagram for some strange reason. Can I email ?

Regards

Jon Marshall Sun, 11/29/2009 - 13:04

Update - i'm being a bit thick at the moment and got confused between pix/ASA NAT and router NAT. The public IP does need to be allocated to an interface.

Give me a moment and i'll sort it out

Jon

Jon Marshall Sun, 11/29/2009 - 13:28

Okay, you do need to allocate the public IP to an interface, sorry on the firewalls you don't have to and i got a bit mixed up !

Assuming that the customer routers are Cisco and using the previous example this is what customer 1 router would look like. We will assume they want to NAT all internal clients to the public IP for internet access and also to present a mail server with this address. Mail server address is 192.168.1.10. So -

customer router

===========

int loopback 10

ip address 195.17.17.1 255.255.255.255

int fa0/0        <--- this is customer internal LAN

ip address 192.168.1.1 255.255.255.0

int fa0/1   <--- this connects to 3550 switch as per previous thread

ip address 192.168.5.2 255.255.255.252

ip nat inside source list 101 interface loopback 10 overload

access-list 101 permit 192.168.1.0 0.0.0.255 any

the above 2 lines take care of Natting/Patting all internal clients to 195.17.17.1.

ip nat inside source static tcp 192.168.1.10 25 195.17.17.1 25

the above line takes care of the mail server

ip route 0.0.0.0 0.0.0.0 192.168.5.2  <--- this is default route so all traffic goes to 3550

Jon

Reza Sharifi Sun, 11/29/2009 - 14:51

Jon,

ip route 0.0.0.0 0.0.0.0 192.168.5.2  <--- this is default route so all traffic goes to 3550

I think there is small typo here

it should be 192.168.5.1 (the interface of the 3550)

Thanks,

Reza

Jon Marshall Sun, 11/29/2009 - 16:06

sharifimr wrote:

Jon,

ip route 0.0.0.0 0.0.0.0 192.168.5.2  <--- this is default route so all traffic goes to 3550

I think there is small typo here

it should be 192.168.5.1 (the interface of the 3550)

Thanks,

Reza

Reza

Yep, thanks for the correction

Jon

Jon Marshall Sun, 11/29/2009 - 12:29

s.nasheet wrote:

Hi ,

I have to configure Cisco 3550 switch L3  that will allow 30 offices all within the same big building to share internet. Each office will have around 5-10 Pc's/Servers. Severs'( Email/Web) need to accessiable from internet. Pc's from one office should not be able to talk to the Pc's in other offices. Each office will have there own router/switch ( for NATing ) which will be connected to Cisco 3550 via Ethernet cable.

10MB Internet will be terminiated on Cisco 3350's fastethernet interface and from there it will be distributed to each office. I have more than 30 public IP address available to support this desing.

I was thinking to create 30 VLANS's ( one for each office ) and assign a public IP to each vlan interface but form that point onward, I can't think how to configure of the network ?

Please see the attached diagram to undestand what I am trying to achieve.

All I need is to provide a ethernet socket to each office with internet connection( one public IP is needed to each office)  where each office will plug there own router/switch for Internet connectivity and LAN.

Can you think of the easites way to configure this network ?

Many thanks for  your advise.

Regards,

The 3550 will not do NAT. If you allocate the public IP for each customer on your 3550 then how will you NAT the customer addresses.

The customer will need the public IP to NAT their internal addressing and their web/e-mail servers. So you will need to create private addressed connections from the 3550 to each customer. Personally i would make each port on the 3550 connecting to a customer a routed port. So as an example lets do customer 1

Allocate one of your public IPs to customer 1 eg. 195.17.17.1

on the 3550

========

int gi0/1

no switchport

ip address 192.168.5.1 255.255.255.252

ip route 0.0.0.0 0.0.0.0 <-- this is for the 3550 to route to the Internet.

ip route 195.17.17.1 255.255.255.255 192.168.5.2  <-- this is for the 3550 to be able to route return traffic to the correct customer

on the customer router

================

interface that connects to 3550

int fa0/1

ip address 192.168.5.2 255.255.255.252

they will then need to use their public IP to NAT internal hosts and for their servers. Note the public IP does not need to be allocated to any interface on the customer router and actually with this setup they can't allocate it to any interface.

Note also that you will need to agree an addressing scheme for all customers so that the network you use to connect their router to the switch does not overlap with their addressing or any of the other customers networks.

Then you can apply standard acls to the routed ports on the 3550 to make sure each customer can only go to the Internet.

If you had enough public addressing to have 2 IPs per customer then you don't really need the above private addressed link between 3550 and customer router but it sounds like you don't.

You are also totally reliant on the customer being able to do NAT because you can't.

Jon

s.nasheet Sun, 11/29/2009 - 14:45

Jon ,

First solution looks bit complicated to me as I mght need to create 30 static router for reach customer to return traffic to appropriate customer plus I need to ask every  customer to change there LAN addresing which seems bit hard at this stage.

Solution two  regarding the 2 IP's per customer, at the minute I don't have 2 IP's per customer but I can ask ISP to proivde more IP's  so 2 IP's  for each customer and it should not be a problem to have more public IP's.

Lets say I managed to get 2 IP's per customer then how will I need  to design the network.

Regards.

Jon Marshall Sun, 11/29/2009 - 16:05

s.nasheet wrote:

Jon ,

First solution looks bit complicated to me as I mght need to create 30 static router for reach customer to return traffic to appropriate customer plus I need to ask every  customer to change there LAN addresing which seems bit hard at this stage.

Solution two  regarding the 2 IP's per customer, at the minute I don't have 2 IP's per customer but I can ask ISP to proivde more IP's  so 2 IP's  for each customer and it should not be a problem to have more public IP's.

Lets say I managed to get 2 IP's per customer then how will I need  to design the network.

Regards.

You do need the static routes but only one per customer not 30 for each customer. You don't need to ask customer to change IP addressing. You just need to make sure that the addressing you use for the P2P link between the customer router and the 3550 does not overlap with any of their private addressing.

If you had 2 IPs per customer then as i said it will be a lot simpler, i just assumed you didn't have them. If you do, you simply use the public IPs, 2 per customer, on the point to point link between the customer router and the 3550 and then you don't need the loopback on the customer router and you do not need the static routes on the 3550.

You can either still use routed ports on the 3550 or you could use vlan interfaces if you wanted to.

Jon

s.nasheet Mon, 11/30/2009 - 02:45

Jon ,

Thanks for your all help. I am almost sorted.

I will go for the 2 IP per customer using P2P link bewteen 3350 routed port and customer router. I might need to perform subnetting on public IP block  to configure 3350 interfaces as otherwise I will get ''overlpping IP address'' error.( I think......)

Can I still use 2 IP per customer without subnetting ?

Regards

Jon Marshall Mon, 11/30/2009 - 03:01

s.nasheet wrote:

Jon ,

Thanks for your all help. I am almost sorted.

I will go for the 2 IP per customer using P2P link bewteen 3350 routed port and customer router. I might need to perform subnetting on public IP block  to configure 3350 interfaces as otherwise I will get ''overlpping IP address'' error.( I think......)

Can I still use 2 IP per customer without subnetting ?

Regards

You will have to subnet because you will need separate subnets per customer on the 3550. It would be fine at the customer end but not on the 3550. As you say, you would get overlapping IP address errors on the switch.

Jon

s.nasheet Mon, 11/30/2009 - 03:23

Jon ,

Thanks , All  good, I will create a config  and possibily send you for the review if  you don't mind?

you are the top man.

Regards.

Jon Marshall Mon, 11/30/2009 - 03:31

s.nasheet wrote:

Jon ,

Thanks , All  good, I will create a config  and possibily send you for the review if  you don't mind?

you are the top man.

Regards.

No problem, let me know how you get on.

Jon

s.nasheet Tue, 06/01/2010 - 16:05

Jon,

Its been a long time, Installation didn't go ahead due to some delay by customer, but now they want to get this done.

I have managed to get 128 Public IP address. As  you mentioned before if I had a 2 IP's customer , it will be lot easier. Can you advise how I can assing  2 IP per customer.

Now NATing will be done by Cisco PIX.

Here is what network looks like.

Internet<-----ISP Router<------PIX Firwall<--------Cisco 3350 (One vlan per customer on switch).

Each office/vlan should have its own IP address to go on internet.

I will create a DHCP Pool for each vlan. ( so 30 pools on a switch).

How can we achieve internet connectivity allowing each office/vlan  to have its own public IP address.

Do I need to sub-netting my 128 block address and somehow assign 2 IP per customer ?

Please advise as I am struggling to get this working for ages.

Regards

Salman

s.nasheet Tue, 06/01/2010 - 16:51

Hi,

Just another though.

example

Valn 2 - IP range = 172.16.2.0/24

Vlan interface2

ip address 172.16.2.1 255.255.255.0

ip address 81.50.110.44 255.255.255.255 secondary

And then configfure a VLAN 2 PC's gateway as the 81.50.110.44.

As Vlan interface has  now two IP's Pirmary IP wil use to communicate with Vlan hosts while secondary IP will be used to go on internet. In this case NATing will not be required as firewall will also be the member of same subnet as of 81.50.110.44.

Will this work? Can't test in a lab.

Any thoughts.

Regards

Salman

Actions

This Discussion