Network Guys

Share your knowledge!

Router on a stick

Today I will show you how to build a so called “Router-on-a-stick” environment. In this example we have one Cisco router, one HP ProCurve switch and three subnets:

First we configure inspection firewall profiles, so when someone requests packets from the internet, packets can come back through our inbound WAN interface access-list

ip inspect name Marketing tcp
ip inspect name Marketing udp
ip inspect name Marketing icmp
ip inspect name Sales tcp
ip inspect name Sales udp
ip inspect name Sales icmp
ip inspect name Server tcp
ip inspect name Server udp
ip inspect name Server icmp

to access the internet, we need to NAT overload packets going to public IP addresses (in this example we have a PPPoE DSL Dialer-Interface)

ip access-list extended tonat
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip any any

ip nat inside source list tonat interface Dialer1 overload

interface Dialer1
ip nat outside
ip access-group wan_in in

ip access-list extended wan_in
remark Inbound ACL for VPN traffic
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp

now it’s time to configure subinterfaces on the interface which is connect to our primary HP ProCurve Switch. Please let the interface at it’s default settings:

interface GigabitEthernet0/0
no ip address
duplex auto
speed auto

now we will configure sub-interfaces on that interface and will tag the IP packets for Sales and Marketing subnet

interface GigabitEthernet0/0.1
description Server LAN
encapsulation dot1Q 1 native
ip address 192.168.15.254 255.255.255.0
ip nat inside
ip inspect Server in
ip virtual-reassembly in
ip tcp adjust-mss 1452

interface GigabitEthernet0/0.10
description Marketing LAN
encapsulation dot1Q 10
ip address 192.168.23.254 255.255.255.0
ip nat inside
ip inspect Marketing in
ip virtual-reassembly in
ip tcp adjust-mss 1452

interface GigabitEthernet0/0.20
description Sales LAN
encapsulation dot1Q 20
ip address 192.168.54.254 255.255.255.0
ip nat inside
ip inspect Sales in
ip virtual-reassembly in
ip tcp adjust-mss 1452

we can also configure access-lists on our interfaces to deny packets going between Sales and Marketing network but let them go to the server and internet:

ip access-list extended sales_in
deny ip 192.168.54.0 0.0.0.255 192.168.23.0 0.0.0.255
permit ip 192.168.54.0 0.0.0.255 any

interface GigabitEthernet0/0.20
ip access-group sales_in in

ip access-list extended marketing_in
deny ip 192.168.23.0 0.0.0.255 192.168.54.0 0.0.0.255
permit ip 192.168.23.0 0.0.0.255 any

interface GigabitEthernet0/0.10
ip access-group marketing_in in

In a Cisco router, the interface configured with the sub-interfaces needs always a native vlan (packets will not have any vlan tag). At last step we will configure the HP ProCurve Switch. We take a 2510 with 24-ports

The port assignment is as follows:
Port 1-12: VLAN 10 (Marketing LAN)
Port 13-20: VLAN 20 (Sales LAN)
Port 21-23: VLAN 1 (Server LAN)
Port 24: VLAN Trunk (Cisco Router)

Configuration of the switch:

vlan 1
name “Server LAN”
untagged 21-24
ip address 192.168.23.250 255.255.255.0 // for management
no untagged 1-20
exit
vlan 10
name “Marketing LAN”
untagged 1-12
tagged 24
exit
vlan 20
name “Sales LAN”
untagged 13-20
tagged 24
exit

Don’t forget to save the router und switch configuration with “write memory”. Now, you will have a complete router-on-a-stick infrastructure. Feel free to ask questions in the comments below :)

9 Responses

  1. That really was new to me. Your blog is really a good source for things about Gigabitethernet0 0.1. Thanks, Klaus!

  2. Great tutorial!
    I have a similar network although I want the Cisco router to be the DHCP server for both VLAN1+10+20

    How would you apply this in the router and the HP switch?

    1. Hi Mikhail :)

      thank you! You can configure different DHCP scopes at the cisco router like this:

      ip dhcp pool VLAN1DHCPSCOPE
      network 192.168.1.0 255.255.255.0
      dns-server 8.8.8.8 8.8.4.4
      default-router 192.168.1.1
      domain-name company.local
      lease 2

      ip dhcp excluded-address 192.168.1.1 192.168.1.99
      ip dhcp excluded-address 192.168.1.150 192.168.1.254

      ip dhcp pool VLAN10DHCPSCOPE
      network 192.168.10.0 255.255.255.0
      dns-server 8.8.8.8 8.8.4.4
      default-router 192.168.10.1
      domain-name company.local
      lease 2

      ip dhcp excluded-address 192.168.10.1 192.168.10.99
      ip dhcp excluded-address 192.168.10.150 192.168.10.254

      ip dhcp pool VLAN20DHCPSCOPE
      network 192.168.20.0 255.255.255.0
      dns-server 8.8.8.8 8.8.4.4
      default-router 192.168.20.1
      domain-name company.local
      lease 2

      ip dhcp excluded-address 192.168.20.1 192.168.20.99
      ip dhcp excluded-address 192.168.20.150 192.168.20.254

      The scope will only give IP addresses to clients where the router has a routing interface in it. So “VLAN1DHCPSCOPE” will only give IP addresses from 192.168.1.100-149.

      After your configuration you can start the service with “service dhcp” and can watch bindings with “show ip dhcp binding”. When you have placed an access-list inbound to a vlan interface, keep in mind that you allow ipless bootps packets like this:

      ip access-list extended lan_in
      permit udp any any eq bootps

      If you have any further questions, don’t hestitate to reply :) I hope I could help you with this. Have an nice day!

      1. Wow, I didn’t expect such a quick reply thank you!

        You will have to forgive me as I am quite new to Cisco router config and VLANing
        I am used to configuring via web UIs but I am reasonably comfortable with the CLI as I have spent so much time trying to work out this configuration in the last couple of weeks.

        Basically, I have a Cisco 881 router and a HP Procurve 2520 series and want to have 2 VLANs . (I googled this and your page came up first!)

        Like you explained above. I have 2 VLANs configured with DHCP on the 881

        VLAN1 = Management 10.1.1.0/24
        VLAN2 = Guest 172.1.1.0/24 (completely isolated from VLAN1)

        Cisco 881 FE0 > straight patch HP Procurve Port 24

        When the switch is in default mode with native VLAN1 across 1-24 I get DHCP address fine from the 10.1.1.0/24 network.

        This is as far as I got as I think I am doing something wrong with the ProCurve Switch or the Cisco 881

        I know FE0 needs to be set up as a trunk 802.1q with sub-interfaces for the 2 VLANs.
        I am unsure if this is has been configured correctly as every tutorial describes the same commands (FA0/0.1) this has never worked for this router for some reason, so I am assuming the sub-interfaces are assigned to FE0 somehow (a friend of mine said he found a way to do it)

        On the HP ProCurve I know I need to tag port 24 for VLAN1 + VLAN2 for 802.1q

        Ports 3-12 are untagged for VLAN1
        Ports 13-23 are untagged for VLAN2
        Ports 1-2 will have a Ruckus Zone Director and access point. It will have 2 SSIDs one for VLAN1, the other for VLAN2 – Im presuming I tag ports 1-2 for VLAN1+VLAN2.

        However when I patch into any port after I have configured the VLANs on the switch I get a self assigned IP address of 169.xxx.xxx.xxx and from there I have to default the switch and start again. I was thinking it was some kinda of DHCP issue but I don’t think thats the case as I get DHCP when the switch is in default and native VLAN across all ports.

        I am at a loss now as very tutorial I have tried does not work.

        I appreciate your response. I will definitely be keeping up with your blog!

        1. Than your config will be like this:

          ProCurve Switch:

          vlan 1
          untagged 24

          vlan 2
          tagged 24

          Cisco Router:

          default interface FastEthernet0

          interface FastEthernet0.1
          encapsulation dot1Q 1 native
          ip address 10.1.1.x 255.255.255.0

          interface FastEthernet0.2
          encapsulation dot1Q 2
          ip address 172.1.1.x 255.255.255.0

          one vlan interface needs to be native in the cisco router (nativ = no vlan tag on IP packet) so you don’t tag on the HP Switch. Only the other VLANs will be tagged (in your example vlan 2).

          Try this and contact me again if it’s working. You can also send me your cisco router and hp switch config, it’s the “show run” output. You can find my mail address here http://www.google.com/recaptcha/mailhide/d?k=01-KfNaX7fWLTHh7BlPfSmYg==&c=Shd3_hwuUfmGT_Kan8Af3LC9KD0pKJALlMKCEy6AVpY=

  3. Can you shed light on my config as well please. Trying to get a Cisco ASA sujb interface to communicate with a HP procurve dynamic trunk running wit GVRP. Any ideas

Leave a Reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Certificates

ekahau Certified Survey Engineer
ATP_wsrgb
ACMP2
suca
Post Categories
Post Archives