0

screenshot of network map

The network is pretty simple. Router-on-a-stick for nat/WAN access, Layer 3 switch for intervlan routing.

Router:

ip nat inside source list nated-nets interface FastEthernet0/0 overload
ip access-list extended nated-nets
 permit ip 192.168.10.0 0.0.0.255 any
 permit ip 192.168.11.0 0.0.0.255 any
 permit ip 192.168.12.0 0.0.0.255 any

interface FastEthernet0/0
 description [f0/0][ISP]
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface FastEthernet0/1.10
 description [f0/1.10][vlan10]
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in

interface FastEthernet0/1.11
 description [f0/1.11][vlan11]
 encapsulation dot1Q 11
 ip address 192.168.11.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in

interface FastEthernet0/1.12
 description [f0/1.12][vlan12]
 encapsulation dot1Q 12
 ip address 192.168.12.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in

Switch:

interface range gigabitEthernet 0/1-7
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 switchport nonegotiate

interface range gigabitEthernet 0/8-14
 switchport mode access
 switchport access vlan 11
 spanning-tree portfast
 switchport nonegotiate

interface range gigabitEthernet 0/15-21
 switchport mode access
 switchport access vlan 12
 spanning-tree portfast
 switchport nonegotiate

interface GigabitEthernet0/24
 description [g0/24][router]
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10-12
 switchport mode trunk
 switchport nonegotiate
 load-interval 30
 carrier-delay msec 0
 spanning-tree portfast trunk

interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip policy route-map vlan10

interface Vlan11
 ip address 192.168.11.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip policy route-map vlan11

interface Vlan12
 ip address 192.168.12.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip policy route-map vlan12

route-map vlan10 permit 10
 match ip address vlan-gateway
 set ip next-hop 192.168.10.254

route-map vlan11 permit 10
 match ip address vlan-gateway
 set ip next-hop 192.168.11.254

route-map vlan12 permit 10
 match ip address vlan-gateway
 set ip next-hop 192.168.12.254

ip access-list extended vlan-gateway
 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip any any

Switch routing table:

Switch# show ip route
 Gateway of last resort is not set
 C    192.168.10.0/24 is directly connected, Vlan10
 C    192.168.11.0/24 is directly connected, Vlan11
 C    192.168.12.0/24 is directly connected, Vlan12

Desired outcome:

Source IP: 192.168.10.25
Destination IP: 192.168.11.15
Route: 192.168.10.25 --> 192.168.10.1 --> 192.168.11.15

Source IP: 192.168.10.25
Destination IP: 8.8.8.8
Route: 192.168.10.25 --> 192.168.10.1 --> 192.168.10.254 --> ISP

Things I'm trying to avoid:

Source IP: 192.168.10.25
Destination IP: 192.168.11.15
Route: 192.168.10.25 --> 192.168.10.1 --> 192.168.10.254 --> 192.168.11.15

Source IP: 192.168.10.25
Destination IP: 8.8.8.8
Route: 192.168.10.25 --> 192.168.10.1 --> 192.168.11.254 --> ISP

Although this configuration DOES work as is, it feels sloppy.
I'm also seeing unexpected results when viewing the access-lists. I have 12 terminal windows open pinging IPs in other local subnets and 5 pinging external subnets and I have a bunch of random youtube, vine, facebook, and other packet chatter rich websites open. I thought the number would be higher.

Extended IP access list vlan-gateway
     10 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
     20 deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.255.255 (478 matches)
     30 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255 (3062 matches)
     40 permit ip any any (47 matches)
parsecpython
  • 385
  • 2
  • 5
  • 16

2 Answers2

1

With your current config, you are not performing inter-VLAN routing on the switch; you are doing that on the router. This is bad for a number of reasons, of which the main one is, all traffic going from one VLAN to another VLAN is passing through the trunk connection and the router (which causes a bottleneck). Also, you said you want to use "Router-on-a-stick for nat/WAN access, Layer 3 switch for intervlan routing", so what you are currently doing is actually not what you want to do.

Since your switch is layer-3 capable, you only need to give it an IP address on each VLAN (which it already has), and enable IP routing with the command ip routing; this will take care of inter-VLAN routing.

You will then need to revise your network map to use a different IP subnet to connect the switch to the router, instead of carrying all your VLANs to the router through a trunk connection; you'll also have to configure the switch to use the router as its default gateway. The router configuration will need to be modified accordingly: a single connection to the switch, and some route table entries to tell it "you can reach those internal IP subnets via your connection to the switch". Last but not least, all computers in each VLAN will need to use the switch's interface in that VLAN (192.168.10.1, 192.168.11.1 or 192.168.12.1) as their default gateway.

This will achieve what you asked for:

Source IP: 192.168.10.25
Destination IP: 192.168.11.15
Route: 192.168.10.25 --> 192.168.10.1 --> 192.168.11.15

Source IP: 192.168.10.25
Destination IP: 8.8.8.8
Route: 192.168.10.25 --> 192.168.10.1 --> Router --> ISP

Here is a revised network map (using 192.168.42.0/24 for the router-switch connection):

enter image description here

Here is the corresponding sample configuration for the switch (some details omitted for brevity):

interface range gigabitEthernet 0/1-7
 switchport mode access
 switchport access vlan 10

interface range gigabitEthernet 0/8-14
 switchport mode access
 switchport access vlan 11

interface range gigabitEthernet 0/15-21
 switchport mode access
 switchport access vlan 12

interface GigabitEthernet0/24
 ip address 192.168.42.42 255.255.255.0

interface Vlan10
 ip address 192.168.10.1 255.255.255.0

interface Vlan11
 ip address 192.168.11.1 255.255.255.0

interface Vlan12
 ip address 192.168.12.1 255.255.255.0

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.42.1

And here is the corresponding sample configuration for the router (again, some details omitted for brevity):

ip access-list extended nated-nets
 permit ip 192.168.10.0 0.0.0.255 any
 permit ip 192.168.11.0 0.0.0.255 any
 permit ip 192.168.12.0 0.0.0.255 any
 permit ip 192.168.42.0 0.0.0.255 any

ip nat inside source list nated-nets interface FastEthernet0/0 overload

interface FastEthernet0/0
 ip address dhcp
 ip nat outside

interface FastEthernet0/1
 ip address 192.168.42.1 255.255.255.0
 ip nat inside

ip route 192.168.10.0 255.255.255.0 192.168.42.42
ip route 192.168.11.0 255.255.255.0 192.168.42.42
ip route 192.168.12.0 255.255.255.0 192.168.42.42

Of course, this can be further optimized (f.e. a /24 subnet is not needed to connect only two devices, and those route table entries can easily be merged); but this should be enough to get you started.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Thanks, much. Your configuration example does work well. – parsecpython May 05 '16 at 17:38
  • Glad to be of help. Feel free to upvote and accept it if you found it useful. – Massimo May 05 '16 at 18:18
  • Your suggested configuration doesn't need any route-maps to function though. all vlans on the switch side of the network go across a single routed port to the router which is one other component I was trying to avoid. – parsecpython May 05 '16 at 19:16
  • The switch is acting as a second router, to route traffic *between* VLANs; anything goint *outside* VLANs is forwarded to the router. Isn't this what you asked for? Your initial solution would bring to the router all traffic between all VLANs, even traffic the router doesn't need to know or care about (it should only be concerned about Internet traffic). – Massimo May 05 '16 at 19:30
  • yeah, you are correct, I was just trying to get the route-map to do that work. the goal of this lab is to practice, learn, and improve route-map implementation. I think I may need more switches to really make this work – parsecpython May 05 '16 at 22:07
0

The prompt for the access-list is Very strange, maybe you could use debug IP packet access-list or wireshark to see in detail.however this design is unusually and no cisco best practices because you avoid cef and increase subprocessing to forward.

Jhon
  • 1