Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN ISA500

Is the following possible (to save the cost of 1 switch?)

[modem of ISP]

|--> [ISA 500]

           |--> WAN port - vlan 1: dhcp

                                - vlan 2: mac passthrough (the device has to ask the ISP an IP which can be only done via the correct MAC address)

= 2 vlan on the WAN port

The goal is to have 2 vlan on the wan port of the ISA500 so 1 LAN port can be used for the internal network and 1 LAN port will be used to connect the device of vlan 2 so it can ask an IP address

Is this possible?

24 REPLIES

VLAN ISA500

I don't believe you can accomplish what you are wanting based on the way you want to accomplish it.  However I do believe you can accomplish your desired result with a different approach.  This is based on the assumption that the CPE device provided by the ISP has at least 2 switch ports or can be plugged into a switch between the ISA and CPE.

  1. Configure your ISA for Dual WAN and plug both WAN 1 and WAN 2 into the CPE or switch
  2. Configure WAN 1 for DHCP
  3. Configure WAN 2 for DHCP
    • Change the MAC Address Source to Use the Following MAC Address and input the MAC Address that must be sent to the ISP to get the IP for VLAN 2
  4. Change Dual WAN Settings to use Routing Table
  5. Set Policy Based Routing (PBR) to On
  6. Configure PBR for the desired results (LAN to WAN 1 and VLAN 2 to WAN 2)
  7. Configure any necessary NAT/PAT and Access Rules

I hope this fits your needs.  If you need any additional assistance, I'd be happy to help.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

VLAN ISA500

There are not 2 ethernetports on the modem, so I guess I have to do the setup like this:

modem -> switch -> ISA -> switch for the internal network

                                    -> device that has to receive IP via mac passthrough

right?

VLAN ISA500

Basically correct.

ISP Modem -> Switch -> ISA -> Switch for the internal network

Then the device that needs the IP via MAC Passthrough would either be directly connected to the ISA on one of it's available switch ports configured with the appropriate VLAN or connected to the Internal Network switch, if it's VLAN capable, with a Trunk Port configured between the ISA and VLAN capable switch and ports configured with the appropriate VLANs.

The device needing the MAC driven IP would actually get a private IP Address from the VLAN it is connected to and then you would configure NAT/PAT and Access Rules on the ISA to translate the VLAN Private IP to the WAN 2 Public IP and any associated access, if unsolicited inbound connectivity is required.

As I mentioned previously, I can get much more detailed if needed but I'd have to fully understand your desired end result.  I'm happy to assist if needed.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

VLAN ISA500

I had two "conditions":

a) avoid an extra switch

b) i want to see what the device from the ISP is doing (via ISA)

The internal switch is the SG300-28

A more "decent" solution is to pass via the switch (imho) - so it would need to "transfer" the IP received on WAN2 to the switch and it must "give" it to the end device

Normally this is possible with the switch (if I got it correctly), but is it hard?

VLAN ISA500

Ok, how about this, as an example.

  1. On the SG300-28
    • Configure a VLAN (i.e. 99)
    • Place ports 1-3 in this VLAN
      • Connect the ISP Modem to Port 1
      • Connect the ISA WAN 1 to Port 2
      • Connect the ISA WAN 2 to Port 3
  2. On the ISA
    • Create a VLAN (i.e. VLAN ID 5 with whatever name you want to give it)
    • Configure one of the remaining Physical Ports as a Trunk Port and add VLAN 1 and 5
  3. Connect Port 4 of the SG300-28 to the ISA Trunk Port
  4. Configure Port 5 of the SG300-28 to contain VLAN 5 only
    • Attach your device needing the MAC Passthrough (MAC Device) to port 5
  5. Ensure remaining ports on SG300-28 are in VLAN 1
  6. In the ISA
    • Under Firewall -> NAT, create a Static NAT Entry for the WAN 2 IP to the MAC Device IP
    • If unsolicited outside access is required to the MAC Device
      • Under Firewall -> Access Rules, create an Access Rule with source Any and Destination MAC Device IP to allow the necessary services (i.e. HTTP/HTTPS, SMTP, etc.)

Is that a feasible solution for you?

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

VLAN ISA500

I will try it out next week and will keep you up to date, ok?

New Member

VLAN ISA500

I'm a bit confused. Is there a reason why I must connect the ISP modem to the SG in stead of the ISA?

At this moment I have the following order:

ISP -> switch -> ISA -> SG

VLAN ISA500

Perhaps I'm missing something.  My understanding is that you have an ISP that is going to provide you with 2 IPs.  One will be obtained via DHCP and the other will be obtained via masking a MAC Address.  The ISP CPE only has 1 ethernet port.  As well, you have 1 SG300-28 switch and would prefer not to purchase another switch.  If any of this is incorrect, please advise.

Based on those assumptions, you can connect the ISP CPE directly to WAN1 however you will only be able to get an IP via DHCP or MAC masking, but not both.  Since there is no mechanism to do a MAC Passthrough and have another device get the IP provided by MAC, my suggestion was to put a switch between the ISP CPE and the ISA so that you could connect multiple interfaces from the ISA to the ISP CPE.  Since you didn't want to add another switch, I recommended creating a VLAN on the SG300-28 for 3 ports to connect the ISP CPE and the 2 ISA WAN ports, when the ISA is setup for dual WAN.  This would allow you to get an IP via DHCP on WAN1 and an IP via MAC masking on WAN2.  From there you would create the necessary VLANs, NAT/PAT rules, Access Rules, etc. to have all your LAN traffic utilize WAN1 and your MAC device utilize WAN2.

One additional option I'll throw out there is that if you would prefer to discuss this over the phone, please drop me a PM and I'll provide you with a number you can reach me on.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

VLAN ISA500

In the meanwhile I purchased a second switch (a dumb one).

I've configured the ISA with 2 WAN ports - 1 receives the IP address via DHCP - 1 received the IP address via MAC - both are working correctly (thanks for that).

Next stap is to 'forward' the traffic to the SG. I presume I must do the following:

- create 2 VLAN on ISA (1 for normal trafffic - 1 for the traffic and forwarding of the IP of the device via MAC)

- link one port on the ISA to VLAN1 and put the cable in another port on the SG

- link one port on the ISA to VLAN 2 and put the cable in another port on the SG

- create 2 VLAN on SG (1 for normal trafffic (including all ports on the SG except for the MAC device) - 1 for the traffic and forwarding of the IP of the device via MAC (1 port))

- put all the cables from the network in the switch

Am I going in the right direction?

VLAN ISA500

Very close.

Your first step (creating VLANs on the ISA) is spot on.

Next you would change one of the Physical Ports in the ISA to be a Trunk Port and apply both VLANs from your first step to that Physical Port.

Next you would attach the ISA Trunk port to 1 port on the SG.

Then you would configure one port on the SG for VLAN2 (MAC Device) and attach the MAC Device to that port.

Finally you would configure the remaining unused ports on the SG for VLAN1 for your normal traffic and attach the associated devices.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

VLAN ISA500

After you get all of that done, you'll want to configure the ISA WAN Redundancy -> Dual WAN Settings for Routing Table and turn on Policy Based Routing.  Then go to Routing -> Policy Based Routing and Add 2 rules.  The first will be From VLAN1 to WAN1 and the second will be From VLAN2 to WAN2.  That configuration will ensure that all normal traffic goes out WAN1 and the MAC Device goes out WAN2.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

VLAN ISA500

Thank you very much!

I'll give it a try and keep you up-to-date.

New Member

Re: VLAN ISA500

I tried to set it up, but didn't succeed.

I did the following on the ISA:

- create WAN1 (dhcp) + create WAN2 (IP via MAC)

- create 1 VLAN: nr. 5 DIGIBOX and use the default VLAN nr 1 for the other stuff

- adjust GE2 and GE3 to be trunk ports to the SG and connect GE 2 to port 27 on the SG and connect GE 3 to port 28 on the SG

- add GE2 to VLAN1 and GE3 to VLAN5

- setup the routing (VLAN1/WAN1 and VLAN5/WAN2)

I did the following on the ISA:

- create 1 VLAN: nr. 5 DIGIBOX and use the default VLAN nr 1 for the other stuff

- tag port 28 to be part of VLAN5 and forbidden member for VLAN1

- do nothing for the other ports to be part of VLAN1

I have the following problems:

- the device that has to get the IP address via MAC doens't receive it

- all devices connected to the SG are getting an IP address from the VLAN5 (the DHCP server)

Any help is appreciated

Schema:

MODEM -> SWITCH (2 cables are going to the ISA) -> ISA (2 cables are going to the SG) -> SG -> DEVICES

- Perhaps I should disable the DHCP server on the ISA and setup a static IP for the SG and enable a DHCP server on the SG?

Re: VLAN ISA500

Ok.  I'm a little confused so let me see if I can get my arms back around this.  To begin with, I'd recommend leaving DHCP Off on the SG and using the DHCP on the ISA.

  1. You mentioned "I did the following on the ISA" twice
    • Did you try the first one and then tried the second one and neither worked?
    • Did you do both on the ISA?
    • Is this just a typo and the other should have been "I did the following on the SG"?
      • If this is the correct one, you mentioned that you created a VLAN5 on the SG.  You shouldn't need to do that as it should detect it from the Trunk once you complete step 3 below and allow you to assign VLAN5 to a switch port.  If it doesn't, try changing port 27 on the SG to a Trunk Port as well, after completing step 3 below.  Either way, before proceeding, please delete the VLAN 5  you created on the SG.
  2. After configuring WAN 2 (IP via MAC), did WAN 2 get the correct IP Assigned to it?
  3. You mentioned adjusting GE2 and GE3 to be Trunk Ports, put VLAN1 in GE2 and VLAN5 in GE3 and connected both ports to the SG
    • You only need 1 Trunk Port and only one cable connecting that Trunk Port to the SG.  Please do the following.
      • Disconnect the cable between GE3 on the ISA and port 28 on the SG
      • Change GE3 in the ISA back to an Access Port and put it back in VLAN1
      • Add VLAN5 to GE2 so that GE2 is still a Trunk Port and contains both VLAN1 and VLAN5
  4. On the SG, you mentioned that you tagged port 28 to be VLAN5 and forbidden VLAN1.
    • If VLAN5 was deleted from the SG as I mentioned in step 1 above, please apply the auto-detected VLAN5 that should now exist in the SG to port 28.  Otherwise, please leave the current configuration as is.  Either way, please attach the DIGIBOX to port 28 on the SG.
  5. Ensure the DIGIBOX gets an IP from the VLAN5 IP Pool.
    • If you are going to need to allow unsolicited traffic from the internet to the DIGIBOX, please configure the DIGIBOX with static IP, Gateway, DNS info for the VLAN5 IP Pool.
      • You'll also need to configure a Static NAT entry in the ISA to use the WAN2 IP for the Private Static IP you assign to the DIGIBOX.
      • You'll also need to create Access Rules in the ISA for any services that need to be allowed unsolicited to the DIGIBOX.
    • If the DIGIBOX just needs internet access, only needs to use the IP on WAN2, and supports DHCP, I'd recommend leaving it as DHCP.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: VLAN ISA500

1.

Yes, the second "I did the following on the ISA" was supposed to be "I did the following on the SG".

I deleted VLAN5 from the SG. There is only 1 VLAN = default VLAN on the SG.

2.

Yes, the port gets a 10.x address as it should.

3.

Ok, I've added the default VLAN and DIGIBOX to GE2.

4.

VLAN5 from the ISA isn't detected on the SG. I've rebooted the SG but that doens't work.

I'm not quite sure how the IP address received via MAC address is being transfered to VLAN5 because I have no option to transfer the received IP to that VLAN.

5.

I'm not quite sure how the SG knows that it should transfer the DHCP address for the MAC device to port 21 where the device is connected to.

New Member

Re: VLAN ISA500

Shawn, is it still possible to give me a little help here?

Sorry for asking so much questions.

Re: VLAN ISA500

Happy to help.  Thanks for following up.  Your message came to me on vacation and must have been deleted during the return from vacation email purge I go through.  Sorry about that. 

  1. So WAN2 is getting the IP you expect it to get (10.x), correct?
    • If so, I'm having a moment of pause on the 10.x as that isn't a Public IP.
  2. If I understand what you're saying, the Digibox is also getting the correct private IP from the VLAN 5 DHCP scope via the ISA, after making all the recommended changes, correct?
    • If so, can you ping the Digibox from the ISA?
    • What else is not yet working?

Regarding your questions 4 and 5...

  1. When looking at Port 21 on the SG, what VLAN does it say it's assigned to right now?
    • If it's VLAN 1 (Default), do you have the option to change it to VLAN 5 (DIGIBOX)?
      • If so, please change it to VLAN 5 (DIGIBOX)
      • If not, please change port 27 on the SG, where the ISA is connected, to be a Trunk Port.
    • If it's VLAN 5 (DIGIBOX), please look at another port on the SG and see if you have the option to also change it to VLAN5 (DIGIBOX), but don't actually change it.
      • If so, then the SG is actually picking up the Trunked VLANs from the ISA and that is why it's working.
      • If not, then the SG is picking up the Trunked VLANs.  Change Port 27, where the ISA connects, to be a Trunk Port.
  2. One thing to keep in consideration on this is that we're not actually "transferring" anything to VLAN5.  All we're doing is telling WAN 2 on the ISA to mask its MAC Address with the one that get's us the correct WAN IP.  Then, in the ISA, we've created a DHCP Pool for devices in VLAN5.  Next we're telling the ISA to advertise VLANs 1 and 5 down the port that the SG is connected to.  The SG then picks up those VLANs and allows you to assign them to ports on the SG.  You assign VLAN 5 (DIGIBOX) to Port 21 and attach your device.  Now you've created a "virtual path" between Port 21 on the SG and VLAN 5 (DIGIBOX) on the ISA which is how the device on Port 21 will get an IP from the VLAN 5 (DIGIBOX) DHCP Pool and communicate with the ISA to get internet from WAN 2 via Network/Port Address Translation (NAT/PAT).

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: VLAN ISA500

No problem :-)

General:

1. Yes. That is correct. My ISP has  this system for the sattelite boxes. They get an internal IP address  from the ISP (10.x) to be "interactive".

2. No, the digibox device is not getting the correct  IP from the DHCP pool from VLAN 5. The SG doesn't detect any other VLAN  than 1. The digibox device is getting an IP from VLAN1.

Questions 4 and 5:

1. It's assigned to VLAN1. I'm not able to select any other VLAN.  All the ports on the SG are 'Trunk ports'. Should I change something?

2. Now I understand it

To recapitulate the problems:

a) the SG does not detect any other VLAN than the default (VLAN1) one.

b) the digibox device doesn't get an IP from VLAN5 DHCP because of the problem described under a).

The current configuration:

[MODEM ISP]

|

|

[ISA]

|-> WAN 1: DHCP

|-> WAN 2: IP VIA MAC

|-> created VLAN 1 and VLAN 5 and put them in a trunk port on GE2.

|

|

[SG]

|-> put a cable from port GE2 to port 27.

|-> all other ports are going via the patchpanel to the devices.

Re: VLAN ISA500

All the ports on the SG should be Access Ports, not Trunk Ports.  Please try that first and see if it gives you the VLAN5 on the SG as an option for port 21 after making those changes.  If it still doesn't, change port 27 on the SG to a Trunk Port and see if you can then change port 21 to VLAN5.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: VLAN ISA500

I've set all the ports to access ports on the SG. Afterwards I tried both solutions, but VLAN5 doesn't show on Port to VLANPort VLAN Membership

Are there perhaps some options I forgot to enable on the ISA of the SG in order to make this work?

New Member

VLAN ISA500

I also noticed that there is one default VLAN on the SG: 1. I'm not able to delete it. Should I add VLAN5 on the SG?

VLAN ISA500

Ok, I have a couple of minutes before I jump into my next meeting so I wanted to follow up with you on this.  To be candid, I'm becoming a little handicapped as I don't have a SG300 to test with.  That said, I believe you are correct that we're missing some settings in the SG300.  I can say, with 99% certainty, that you're not missing anything on the ISA.

Please take a look at these two links.  The first is a forum post related to VLAN Trunking.  It mostly references using the CLI, but may lead you in the right direction on the missing settings.  The second is related to Inter-VLAN Routing.  I don't believe you are needing Inter-VLAN Routing on the SG as I don't believe we're trying to communicate between the 2 VLANs without first passing through the ISA as a desired solution, but I'm including it just in case.  Please review these and let me know your thoughts.

https://supportforums.cisco.com/thread/2163491

http://blog.songwang.org/?p=10

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

VLAN ISA500

I tried but I doesn't work. Perhaps it's easier to connect the digital device to the ISA in stead of the SG?

Could you give me a hand with that? Thank you

Re: VLAN ISA500

I didn't realize that was an option. That's a lot easier. Change all ports on the SG back to Access Ports on the Default VLAN. On the ISA, change the ports back to Access Ports on the default VLAN. Then change the port that you want to connect the Digi Device to VLAN 5, and attach it. That should be it.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
1948
Views
0
Helpful
24
Replies