3825 Setup DHCP and Nat

Unanswered Question
Oct 24th, 2013
User Badges:

Looking for help on on how to setup a 3825 router connecting to an isp via metro ethernet.  The public ip pool given to me by the ISP is a /26.  I would like to have my network equipment(10 3550-48 switches) on public ips and then my end users(workstations plugged into 3550 switches) on a natted .10 network directed to my isp for internet access. 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paolo bevilacqua Thu, 10/24/2013 - 21:18
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member


Wrong forum, post in "WAN and routing". You can move your posting with the Actions panel on the right.
jtothemak Fri, 10/25/2013 - 05:24
User Badges:

Thanks, I moved it.  Now just need some help on a solution.

jtothemak Fri, 10/25/2013 - 10:24
User Badges:

Here is the config I have so far.  I will be doing a vlan per building, with each building on there own ip block via dhcp.  Can someone please let me know if I am making an errors.  Also for the vlan sub interfaces do I need ip nat inside?  I decided to use static nat for remote access to my 3550 switches. 


hostname HueRouter

!

ip subnet-zero

!

ip dhcp excluded-address 10.0.0.1 10.0.0.50

!

ip dhcp pool hue

  network 10.0.0.0 255.0.0.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.0.1

!

interface FastEthernet0

ip address 10.0.0.1 255.0.0.0

no ip directed-broadcast

ip nat inside

no ip mroute-cache

!

interface FastEthernet0/0.10

description Building 1

encapsulation dot1Q 10

ip address 10.10.1.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.20

description  Building 2

encapsulation dot1Q 20

ip address 10.10.2.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.30

description  Building 3

encapsulation dot1Q 40

ip address 10.10.3.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.40

description  Building 4

encapsulation dot1Q 40

ip address 10.10.4.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.50

description  Building 5

encapsulation dot1Q 50

ip address 10.10.5.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.60

description  Building 6

encapsulation dot1Q 60

ip address 10.10.6.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.70

description  Building 7

encapsulation dot1Q 70

ip address 10.10.7.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.80

description  Building 8

encapsulation dot1Q 80

ip address 10.10.8.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.90

description  Building 9

encapsulation dot1Q 90

ip address 10.10.9.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.100

description  Building 10

encapsulation dot1Q 100

ip address 10.10.10.0 255.255.255.0

no snmp trap link-status

!

interface FastEthernet1

ip address 1.1.1.1 255.255.255.128

no ip directed-broadcast

ip nat outside



!

ip nat inside source static 10.0.0.2 1.1.1.3

ip nat inside source static 10.0.0.3 1.1.1.4

ip nat inside source static 10.0.0.4 1.1.1.5

ip nat inside source static 10.0.0.5 1.1.1.6

ip nat inside source static 10.0.0.6 1.1.1.7

ip nat inside source static 10.0.0.7 1.1.1.8

ip nat inside source static 10.0.0.8 1.1.1.9

ip nat inside source static 10.0.0.9 1.1.1.10

ip nat inside source static 10.0.0.10 1.1.1.11

ip nat inside source static 10.0.0.11 1.1.1.12

ip nat inside source list 1 interface FastEthernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet1

no ip http server

!

access-list 1 permit 10.0.0.0 0.255.255.255

!

line vty 0 15

password password_here

enable secret password_here

service password-enc

Kelvin Willacey Fri, 10/25/2013 - 11:20
User Badges:
  • Bronze, 100 points or more

You will need 'ip nat inside' on the internal interfaces.

jtothemak Fri, 10/25/2013 - 12:17
User Badges:

Thank you,  I was thinking the sub interfaces needed but was unsure.  Anything else that needs attention? 

Kelvin Willacey Fri, 10/25/2013 - 12:52
User Badges:
  • Bronze, 100 points or more

Everything else looks fine, I have two comments though. If possible I would use the actual IP address for the ISP gateway in your default route rather than the interface. You can also think about using static PAT rather than opening up every port to those hosts.

Richard Burts Fri, 10/25/2013 - 12:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Have you actually got this configuration on a router? I would think that a Cisco router would not accept this on a main interface ip address 10.0.0.1 255.0.0.0 and this on a subinterface ip address 10.10.1.0 255.255.255.0 because of the overlapping address assignments.


Also I am not sure that you could have these 10 subnets all using the same pool of the /8 address. I would wonder if you will not need 10 individual pools configured.


If you do have it configured and it does work then please post back to the forum confirming that it does work.


HTH


Rick

jtothemak Fri, 10/25/2013 - 13:21
User Badges:

It is not a running config yet.  I will not have access to the gear till the day it is deployed which is what is making me nervous and cutting over a live system.


I ran a simulator GNS3 and was able to give it 10.10.1.1 255.255.255.0 on the sub interface with 10.0.0.1 255.0.0.0 and it let it.  As soon as did a no shut it gave me an overlap.  


I will make a pool for vLAN1 and a seperate pool for each other VLAN. 


Any other issues?  Do I have routing done correctly?

Richard Burts Fri, 10/25/2013 - 13:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If it gave you an overlap when you did a no shut then I would be very nervous about trying to use this concept for a live cutover.


I had not looked closely at your routing. But now that I do I absolutely do agree with the previous suggestion that you should not use ip route 0.0.0.0 0.0.0.0 FastEthernet1. There are several reasons why this is not a good thing to do and that you should specify the IP of the next hop in the static default route.


HTH


Rick

Kelvin Willacey Fri, 10/25/2013 - 14:16
User Badges:
  • Bronze, 100 points or more

I missed the overlap and the DHCP scope. You would definitely need a scope for each subnet as Richard suggested. Do you need an IP address on the physical interface? Is this one of your subnets for the buildings? You said ten buildings and you already have ten vlans and sub interfaces.

jtothemak Fri, 10/25/2013 - 14:28
User Badges:

Here is updated config adding a pool for each Vlan.  Will my routing statement and access list 1 work or do I need to do one for each subnet?


hostname HueRouter

!

ip subnet-zero

ip cef

ip cef load-sharing algorithm original

!

no ip dhcp conflict logging

ip dhcp excluded-address 10.0.50.1 10.0.50.100

ip dhcp excluded-address 10.0.1.1 10.0.1.20

ip dhcp excluded-address 10.0.2.1 10.0.2.20

ip dhcp excluded-address 10.0.3.1 10.0.3.20

ip dhcp excluded-address 10.0.4.1 10.0.4.20

ip dhcp excluded-address 10.0.5.1 10.0.5.20

ip dhcp excluded-address 10.0.6.1 10.0.6.20

ip dhcp excluded-address 10.0.7.1 10.0.7.20

ip dhcp excluded-address 10.0.8.1 10.0.8.20

ip dhcp excluded-address 10.0.9.1 10.0.9.20

ip dhcp excluded-address 10.0.10.1 10.0.10.20



!

ip dhcp pool lan1

  network 10.10.50.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.50.1

  lease 0 3

!

ip dhcp pool bld1

  network 10.10.1.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.1.1

  lease 0 3

!

ip dhcp pool bld2

  network 10.10.2.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.2.1

  lease 0 3

!

ip dhcp pool bld3

  network 10.10.3.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.3.1

  lease 0 3

!

ip dhcp pool bld4

  network 10.10.4.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.4.1

  lease 0 3

!

ip dhcp pool bld5

  network 10.10.5.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.5.1

  lease 0 3

!

ip dhcp pool bld6

  network 10.10.6.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.6.1

  lease 0 3

!

ip dhcp pool bld7

  network 10.10.7.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.7.1

  lease 0 3

!

ip dhcp pool bld8

  network 10.10.8.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.8.1

  lease 0 3

!

ip dhcp pool bld9

  network 10.10.9.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.9.1

  lease 0 3

!

ip dhcp pool bld10

  network 10.10.10.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 10.0.10.1

  lease 0 3

!

interface FastEthernet0/0

ip address 10.10.50.1 255.255.255.0

no ip directed-broadcast

ip nat inside

no ip mroute-cache

!

interface FastEthernet0/0.10

description Building 1

encapsulation dot1Q 10

ip address 10.10.1.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.20

description  Building 2

encapsulation dot1Q 20

ip address 10.10.2.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.30

description  Building 3

encapsulation dot1Q 40

ip address 10.10.3.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.40

description  Building 4

encapsulation dot1Q 40

ip address 10.10.4.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.50

description  Building 5

encapsulation dot1Q 50

ip address 10.10.5.1 255.255.255.0

no snmp trap link-status

!

interface FastEthernet0/0.60

description  Building 6

encapsulation dot1Q 60

ip address 10.10.6.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.70

description  Building 7

encapsulation dot1Q 70

ip address 10.10.7.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.80

description  Building 8

encapsulation dot1Q 80

ip address 10.10.8.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.90

description  Building 9

encapsulation dot1Q 90

ip address 10.10.9.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/0.100

description  Building 10

encapsulation dot1Q 100

ip address 10.10.10.1 255.255.255.0

no snmp trap link-status

ip nat inside

!

interface FastEthernet0/1

ip address 1.1.1.1 255.255.255.128

no ip directed-broadcast

ip nat outside

!

ip nat inside source static 10.0.50.2 1.1.1.3

ip nat inside source static 10.0.50.3 1.1.1.4

ip nat inside source static 10.0.50.4 1.1.1.5

ip nat inside source static 10.0.50.5 1.1.1.6

ip nat inside source static 10.0.50.6 1.1.1.7

ip nat inside source static 10.0.50.7 1.1.1.8

ip nat inside source static 10.0.50.8 1.1.1.9

ip nat inside source static 10.0.50.9 1.1.1.10

ip nat inside source static 10.0.50.10 1.1.1.11

ip nat inside source static 10.0.50.11 1.1.1.12

ip nat inside source list 1 interface FastEthernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet1

no ip http server

!

access-list 1 permit 10.0.0.0 0.255.255.255


!

line vty 0 15

password password_here

enable secret password_here

service password-enc

!

end

Kelvin Willacey Fri, 10/25/2013 - 19:24
User Badges:
  • Bronze, 100 points or more

Looks good, except why do you need this?


interface FastEthernet0/0

ip address 10.10.50.1 255.255.255.0

no ip directed-broadcast

ip nat inside

no ip mroute-cache


And remember to point the default route to the next hop IP if you can.

Richard Burts Fri, 10/25/2013 - 19:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I like the individual DHCP scopes. I believe that your access list 1 and address translation will work ok. You still have a problem with your static default route specifying just the outbound interface. There are several negative aspects of doing it this was. You should change it to also specify the next hop IP address.

HTH

Rick

Sent from Cisco Technical Support iPhone App

Actions

This Discussion