cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple VLAN's setup and Internet

Multiple VLAN's setup and Internet

Erwin_van_Hoof
New Contributor II
We have a setup with 2 X670 switches with 4 VLAN's (OR1-4). I want to hook this setup to the internet and have access from all 4 vlan's to internet and still be able to access all the 4 vlans.

How can this be done?

VLAN setup (first switch)
Name VID Protocol Addr Flags Proto Ports Virtual
Active router /Total ----------------------------------------------------------------------------------------------- Backbone_1 101 192.168.200.1 /30 -f------mop------------------ ANY 1 /1 VR-Default Default 1 ------------------------------------------------- ANY 0 /0 VR-Default Local_1 4091 192.168.100.1 /32 -fL-----mop------------------ ANY 0 /0 VR-Default Mgmt 4095 10.0.0.1 /8 ----------------------------- ANY 0 /1 VR-Mgmt OR1 11 192.168.11.1 /24 -f------mop-T---------------- ANY 9 /36 VR-Default OR2 12 192.168.12.1 /24 -f------mop-T---------------- ANY 0 /11 VR-Default
My xsf (first switch)

configure snmp sysName "Switch_A" configure sys-recovery-level switch reset configure vlan default delete ports all create vlan "Backbone_1" configure vlan Backbone_1 tag 101 create vlan "OR1" configure vlan OR1 tag 11 create vlan "OR2" configure vlan OR2 tag 12 create vlan "Local_1" enable loopback-mode vlan Local_1 enable sharing 48 grouping 48 algorithm address-based L2 lacp configure vlan Backbone_1 add ports 48 untagged configure vlan OR1 add ports 1-24 untagged configure vlan OR2 add ports 25-47 untagged configure vlan Mgmt ipaddress 10.0.0.1 255.0.0.0 configure vlan Backbone_1 ipaddress 192.168.200.1 255.255.255.252 enable ipforwarding vlan Backbone_1 configure vlan OR1 ipaddress 192.168.1.1 255.255.255.0 enable ipforwarding vlan OR1 configure vlan OR2 ipaddress 192.168.2.1 255.255.255.0 enable ipforwarding vlan OR2 configure vlan Local_1 ipaddress 192.168.100.1 255.255.255.255 enable ipforwarding vlan Local_1 create stpd s11 configure stpd s11 mode dot1w configure stpd s11 default-encapsulation dot1d configure stpd s11 add vlan OR1 ports 1-24 dot1d configure stpd s11 ports link-type edge 1-24 edge-safeguard enable bpdu-restrict recovery-timeout 60 configure stpd s11 tag 11 enable stp s11 create stpd s12 configure stpd s12 mode dot1w configure stpd s12 default-encapsulation dot1d configure stpd s12 add vlan OR2 ports 25-47 dot1d configure stpd s12 ports link-type edge 25-47 edge-safeguard enable bpdu-restrict recovery-timeout 60 configure stpd s12 tag 12 enable stp s12 configure ospf add vlan Backbone_1 area 0.0.0.0 configure ospf add vlan OR1 area 0.0.0.0 passive configure ospf add vlan OR2 area 0.0.0.0 passive configure ospf add vlan "Local_1" area 0.0.0.0 passive configure ospf area 0.0.0.0 priority 10 enable ospf configure igmp 60 10 1 2 enable igmp snooping "OR1" fast-leave enable igmp snooping "OR2" fast-leave enable ipmcforwarding vlan "Backbone_1" enable ipmcforwarding vlan "OR1" enable ipmcforwarding vlan "OR2" enable ipmcforwarding vlan "Local_1" configure sharing 48 lacp activity-mode active configure vlan OR1 dhcp-address-range 192.168.1.31 - 192.168.1.201 configure vlan OR1 dhcp-options default-gateway 192.168.1.1 enable dhcp ports 1-24 vlan OR1 configure vlan OR2 dhcp-address-range 192.168.2.31 - 192.168.2.201 configure vlan OR2 dhcp-options default-gateway 192.168.2.1 enable dhcp ports 25-47 vlan OR2 configure pim add vlan "Backbone_1" sparse configure pim add vlan "OR1" sparse passive configure pim add vlan "OR2" sparse passive configure pim add vlan "Local_1" sparse passive configure pim crp vlan "Local_1" "rp-list1" 30 configure pim cbsr vlan "Local_1" enable pim


1 REPLY 1

Frank
Contributor
Since you're running private IPs on all your vlans, I would:
- connect a NAT firewall (Cisco ASA, Palo-Alto, Linux,...) with one Ethernet port in one of your VLANs and the other Ethernet port connected to your Internet provider
- tell the switch that the default route is
- tell the firewall the network routes via the IP of your switch
- the firewall's default gateway would be the ISP's router address

Of course you can get fancy and run OSPF on the firewall to play nice with OSPF on your 670s

I do not think that the 670s do address translation (but I might be wrong), so I don't think that you can hook your Internet provider's connection straight into the 670s.

I hope I didn't misunderstand your problem/question,

Frank
GTM-P2G8KFN