cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1569
Views
0
Helpful
9
Replies

Bridge or VLAN

accurisit
Level 1
Level 1

Hi All,

I'm very new to the Cisco environment and am attempting to configure a CISCO 1941 Router (IOS 15) to connect to a newly delivered ISP connection. I was expecting them to configure their device with Private IP addressing between them and me but they've used the first IP address of my range.

I will substitute my Public IP subnet with 10.1.1.0/26 for the purpose of this question.

************************************************************************************************************************************************

ISP Router (10.1.1.1)

Interface Gig 0/0

Cisco 1941

Interface Gig 0/1

Firewall (10.1.1.?)

************************************************************************************************************************************************

Can the Cisco 1941 be configure with a single IP address over the 2 ports (10.1.1.2) and therefore the Firewall will be 10.1.1.3.

I'm presuming either Bridging or VLAN.

RTFM springs to mind but I'm seriously stuck for time.

Any assistance would be greatly received.

Regards

SImon...

1 Accepted Solution

Accepted Solutions

Simon,

Okay, I got it. The exhibit helped very much.


Indeed, the bridging between Gi0/0 and Gi0/1 would be one of the best solutions for you. I was also thinking of making some crazy use of the Proxy ARP but the bridge would be probably the easiest way to go for now.

Try to configure it as follows:

bridge irb

interface Gi0/0

bridge-group 1

interface Gi0/1

bridge-group 1

bridge 1 route ip

interface BVI1

ip address 10.1.1.2 255.255.255.240

... and all necessary IP commands

This should do the trick - hopefully. I haven't configured the bridge feature for quite a time. All interfaces marked with the same bridge-group 1 are bridged together, i.e. they start constituting a common Layer2 domain. The router itself can be also connected to this domain and provide routing functions for all member stations. The virtual interface that connects the router to this bridged domain is the BVI1 interface.

The Gi0/0 and Gi0/1 interfaces should be configured only with the bridge-group 1 command and activated using the no shutdown. No other configuration is necessary on them.

Best regards,

Peter

View solution in original post

9 Replies 9

Peter Paluch
Cisco Employee
Cisco Employee

Simon,

What your ISP did is fairly common: they provided you with a public IP space that is bound to their device. All your equipment connected directly or via a switch to their firewall can directly use the public addressing. If you need more devices, you are expected to perform NAT while you choose any private IP address on the inside part, and you translate it to one or more public addresses on the outside part.

The question is now - what are your requirements on the final configuration? As of now, you can either connect your devices directly to the firewall without even needing a router, or you can create an internal network and make the 1941 router to perform routing and NAT.

It is possible to configure the 1941 to perform bridging functions, i.e. interconnect its Gi0/0 and Gi0/1 interfaces but the question is what would that be good for. In such configuration, you do not need that router at all.

So think of this and let us know what is the intended final state of your network.

Best regards,

Peter

Thanks Peter,

Not all Public IP address allocations lay behind the firewall. There are other services that are not allowed through a firewall of any description otherwise it compromises support for those services. Our mail servers are on a private subnet (additional 4Port card installed) with the router performing NAT. The firewall is also our Peer Gateway for VPNs therefore it takes care of any NATing required from the internal Private Subnets.

So I presume interconnecting Gi0/0/ and Gi0/1 is what I need help with please.

Regards

Simon...

Simon,

A quick-and-dirty picture of your network and the placement of individual devices would greatly help. I currently cannot understand why you need that router at all. If you want it to provide a bridge between Gi0/0 and Gi0/1 then you are essentially reducing that router to a switch. I do not see what other purpose does that serve... perhaps an exhibit would help me gain more insight into your network.

Notice that Reza (hi again, Reza! ) suggested a similar thing as I did, although I have the feeling that you are looking for something different.

Best regards,

Peter

Please see attached Picture - any other questions please fire away.

Regards

Simon...

Simon,

Okay, I got it. The exhibit helped very much.


Indeed, the bridging between Gi0/0 and Gi0/1 would be one of the best solutions for you. I was also thinking of making some crazy use of the Proxy ARP but the bridge would be probably the easiest way to go for now.

Try to configure it as follows:

bridge irb

interface Gi0/0

bridge-group 1

interface Gi0/1

bridge-group 1

bridge 1 route ip

interface BVI1

ip address 10.1.1.2 255.255.255.240

... and all necessary IP commands

This should do the trick - hopefully. I haven't configured the bridge feature for quite a time. All interfaces marked with the same bridge-group 1 are bridged together, i.e. they start constituting a common Layer2 domain. The router itself can be also connected to this domain and provide routing functions for all member stations. The virtual interface that connects the router to this bridged domain is the BVI1 interface.

The Gi0/0 and Gi0/1 interfaces should be configured only with the bridge-group 1 command and activated using the no shutdown. No other configuration is necessary on them.

Best regards,

Peter

Thanks Peter,

You pointed me in the right direction. I've loads of other NATing etc to do but I should be able to muddle through.

Regards

Simon...

Hello Simon,

You are heartily welcome. If you are already familiar with the NAT then configuring it should not be a problem. The BVI1 can be configured for NAT just like any other interface. Treat it as the router's interface into the bridged network and all should be fine.

And of course, if something does not work as expected, let us know again.

Best regards,

Peter

Hi Simon,


You can configure two ip addresses on the single port in a situation where you have to configure Data and voice VLAN on the single port and this would be with the help of VLAN configuration.


More elaboration of fact, you can configure single port in to two VLAN with the help of VLAN Configuration.

As per my understanding if you’re ISP Link and internal network link which is coming from Firewall, is connecting two different port of one router has same series IP address.


(Internet ISP - Router: g0/0: 10.1.1.1)-->Router (g0/0:10.1.1.2)<---->Router (g 0/1:10.1.1.3)-->Firewall (PIX):10.1.1.4====>NAT it in any series with your internal Network


For your convenient, IP configuration, you can change with the help of Service provider and don’t try to change anything in the interface as there would be route configured from ISP to this router  on this specific IP interface.

Kindly feel free to write if you need any clarification.

Regards

Vinod Agrahari

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Simon,

By default, Cisco 1941 comes with 10/100/1000 onboard routed ports.  You can use one of the ports to connect to your ISP with public IP and use the other port to connect to your firewall with private IP.  So, in this case you would need two /30 subnets one for connectivity to your ISP (public) and one for connection to your firewall (private).  You would also need to run NAT on your 1941 router.

HTH

Reza

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco