Multiple VLAN's setup and Internet

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
We have a setup with 2 X670 switches with 4 VLAN's (OR1-4). I want to hook this setup to the internet and have access from all 4 vlan's to internet and still be able to access all the 4 vlans. 

How can this be done? 

VLAN setup (first switch)
Name            VID  Protocol Addr       Flags                         Proto  Ports  Virtual
Active router /Total ----------------------------------------------------------------------------------------------- Backbone_1 101 192.168.200.1 /30 -f------mop------------------ ANY 1 /1 VR-Default Default 1 ------------------------------------------------- ANY 0 /0 VR-Default Local_1 4091 192.168.100.1 /32 -fL-----mop------------------ ANY 0 /0 VR-Default Mgmt 4095 10.0.0.1 /8 ----------------------------- ANY 0 /1 VR-Mgmt OR1 11 192.168.11.1 /24 -f------mop-T---------------- ANY 9 /36 VR-Default OR2 12 192.168.12.1 /24 -f------mop-T---------------- ANY 0 /11 VR-Default

My xsf (first switch)

configure snmp sysName "Switch_A"
configure sys-recovery-level switch reset

configure vlan default delete ports all
create vlan "Backbone_1"
configure vlan Backbone_1 tag 101
create vlan "OR1"
configure vlan OR1 tag 11
create vlan "OR2"
configure vlan OR2 tag 12
create vlan "Local_1"
enable loopback-mode vlan Local_1

enable sharing 48 grouping 48 algorithm address-based L2 lacp
configure vlan Backbone_1 add ports 48 untagged
configure vlan OR1 add ports 1-24 untagged
configure vlan OR2 add ports 25-47 untagged

configure vlan Mgmt ipaddress 10.0.0.1 255.0.0.0
configure vlan Backbone_1 ipaddress 192.168.200.1 255.255.255.252
enable ipforwarding vlan Backbone_1
configure vlan OR1 ipaddress 192.168.1.1 255.255.255.0
enable ipforwarding vlan OR1
configure vlan OR2 ipaddress 192.168.2.1 255.255.255.0
enable ipforwarding vlan OR2
configure vlan Local_1 ipaddress 192.168.100.1 255.255.255.255
enable ipforwarding vlan Local_1

create stpd s11
configure stpd s11 mode dot1w
configure stpd s11 default-encapsulation dot1d
configure stpd s11 add vlan OR1 ports 1-24 dot1d
configure stpd s11 ports link-type edge 1-24 edge-safeguard enable bpdu-restrict recovery-timeout 60
configure stpd s11 tag 11
enable stp s11
create stpd s12
configure stpd s12 mode dot1w
configure stpd s12 default-encapsulation dot1d
configure stpd s12 add vlan OR2 ports 25-47 dot1d
configure stpd s12 ports link-type edge 25-47 edge-safeguard enable bpdu-restrict recovery-timeout 60
configure stpd s12 tag 12
enable stp s12

configure ospf add vlan Backbone_1 area 0.0.0.0
configure ospf add vlan OR1 area 0.0.0.0 passive
configure ospf add vlan OR2 area 0.0.0.0 passive
configure ospf add vlan "Local_1" area 0.0.0.0 passive
configure ospf area 0.0.0.0 priority 10
enable ospf

configure igmp 60 10 1 2
enable igmp snooping "OR1" fast-leave
enable igmp snooping "OR2" fast-leave

enable ipmcforwarding vlan "Backbone_1"
enable ipmcforwarding vlan "OR1"
enable ipmcforwarding vlan "OR2"
enable ipmcforwarding vlan "Local_1"

configure sharing 48 lacp activity-mode active

configure vlan OR1 dhcp-address-range 192.168.1.31 - 192.168.1.201
configure vlan OR1 dhcp-options default-gateway 192.168.1.1
enable dhcp ports 1-24 vlan OR1
configure vlan OR2 dhcp-address-range 192.168.2.31 - 192.168.2.201
configure vlan OR2 dhcp-options default-gateway 192.168.2.1
enable dhcp ports 25-47 vlan OR2

configure pim add vlan "Backbone_1" sparse
configure pim add vlan "OR1" sparse passive
configure pim add vlan "OR2" sparse passive
configure pim add vlan "Local_1" sparse passive

configure pim crp vlan "Local_1" "rp-list1" 30
configure pim cbsr vlan "Local_1"

enable pim
 
Photo of Erwin van Hoof

Erwin van Hoof

  • 344 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Frank

Frank

  • 3,662 Points 3k badge 2x thumb
Since you're running private IPs on all your vlans, I would:
- connect a NAT firewall (Cisco ASA, Palo-Alto, Linux,...) with one Ethernet port in one of your VLANs and the other Ethernet port connected to your Internet provider
- tell the switch that the default route is <IP address of the firewall>
- tell the firewall the network routes via the IP of your switch
- the firewall's default gateway would be the ISP's router address

Of course you can get fancy and run OSPF on the firewall to play nice with OSPF on your 670s

I do not think that the 670s do address translation (but I might be wrong), so I don't think that you can hook your Internet provider's connection straight into the 670s.

I hope I didn't misunderstand your problem/question,

    Frank