So now that we have our switching working, lets get the router up and running, get our addressing scheme defined and figure out what else we need to do to get this show on the road.
- our ISP gave us 1 IP address
- All hosts require access to the internet
- We have been asked to create a subnet scheme that allows for expansion.
Our IP address is 220.127.116.11 /24
(You may recognize this from my frame relay lab)
Our local addressing scheme is:
- 192.168.10.0 255.255.255.0
This needs to be split into subnets, so lets take a look at that. We have 5 VLANs and that can translate into 5 subnets. Five is not a great binary number so lets make that 8 subnets, which would give us 30 hosts per subnet.
128 63 32 16 8 4 2 1 1 1 1 0 0 0 0 0 - subnets (8) 0 0 0 1 1 1 1 1 - hosts (32) Subnet mask = 224 # hosts per subnet = 32 - 2 = 30
Remember that we can’t use the all 0’s and all 1’s host addresses as these are the network address and broadcast addresses.
So this gives us the following address scheme:
1. 192.168.10.0 - 192.168.10.31 Finance 2. 192.168.10.32 - 192.168.10.63 HR 3. 192.168.10.64 - 192.168.10.95 Sales 4. 192.168.10.96 - 192.168.10.127 R&D 5. 192.168.10.128 - 192.168.10.159 IT 6. 192.168.10.160 - 192.168.10.191 not used 7. 192.168.10.192 - 192.168.10.223 not used 8. 192.168.10.224 - 192.168.10.255 not used with a subnet mask of 255.255.255.224
… and lets assign these to the subnet groups defined by our VLANs.
I have a Cisco 1760 with the serial port connected to the frame relay network, and the Fast Ethernet port connected to our LAN.
So we need to do the following:
- Implement our addressing scheme
- Implement routing
- control access though ACLs
- Implement NAT and PAT for host access to the internet
Implementing the addressing Scheme
So lets bring our VLANs to the router via a logically segmented fast ethernet port.
! interface FastEthernet0/0 no ip address speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.224 no snmp trap link-status ! interface FastEthernet0/0.2 encapsulation dot1Q 20 ip address 192.168.10.33 255.255.255.224 no snmp trap link-status ! interface FastEthernet0/0.3 encapsulation dot1Q 30 ip address 192.168.10.65 255.255.255.224 no snmp trap link-status ! interface FastEthernet0/0.4 encapsulation dot1Q 40 ip address 192.168.10.97 255.255.255.224 no snmp trap link-status ! interface FastEthernet0/0.5 encapsulation dot1Q 50 ip address 192.168.10.129 255.255.255.224 no snmp trap link-status
and then set up our default gateway:
ip default-network 18.104.22.168
At this point, it looks like no routing protocols are required. A quick look at show ip route, shows that all of our nets and subnets are direct connections.
r2#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 192.168.10.0/27 is subnetted, 5 subnets C 192.168.10.96 is directly connected, FastEthernet0/0.4 C 192.168.10.64 is directly connected, FastEthernet0/0.3 C 192.168.10.32 is directly connected, FastEthernet0/0.2 C 192.168.10.0 is directly connected, FastEthernet0/0.1 C 192.168.10.128 is directly connected, FastEthernet0/0.5 22.214.171.124/16 is variably subnetted, 2 subnets, 2 masks S 126.96.36.199/16 [1/0] via 188.8.131.52 C 184.108.40.206/24 is directly connected, Serial1/0
Now if I fire up router three and use its ethernet port as a host, lets see if we can ping around:
vlan switch port ip 10 3550 1- 6 192.168.10.2 20 3550 13-18 192.168.10.34 30 2950-12 4- 8 192.168.10.67 40 3550 9-12 192.168.10.98 50 2950-24 9-16 192.168.10.131
… and yes, i can ping out onto the network to other routers on the frame relay network.
Now we need to set up network access. Given that we only have one routable IP address, we have to use port address translation.
So we need to define:
- inside address(es)
- Outside address
- inside source list
… and we do this as follows:
- Add ip nat inside to each sub interface
- Add ip nat outside to the serial interface
and here is our source list:
r2(config)#access-list 1 permit 192.168.10.0 0.0.0.255 r2(config)#^Z
This is list 1, and we are selecting all of the hosts from the network 192.128.20 (our inside addresses) with the wildcard mask of 0.0.0.255.
As we only have the one routable address, the NAT command is pretty simple because there is no pool option, we just specify the interface to use:
r2(config)#ip nat inside source list 1 interface serial1/0 overload
… and the key word here is overload. that should be it