“Router on the edge” is different to “Router on a stick”. The cable-connects are the same but here we will route internal networks with a fast layer 3 switch.

In my example I will configure a Cisco router and a Dell switch as our core-routing-switch. I will also add code for a HP ProCurve switch. First we will plan our current network with three vlans:

VLAN 5 (Door to the Internet)
VLAN 10 (Servers)
VLAN 20 (Clients)
VLAN 30 (Guests)

I don’t use default VLAN 1 because in case of a forgotten non-tagged port, the device connected to it, will be in this VLAN. Now we will configure the Dell switch with several VLANs. I choose three /24 Class C networks and a /30 network between the core switch and the Cisco router (192.168.5.1):

vlan database
vlan 5,10,20,30

ip routing
ip route 0.0.0.0 0.0.0.0 192.168.5.1

interface vlan 5
name “Door-to-Internet”
routing
ip address 192.168.5.2 255.255.255.252
no ip proxy-arp

interface vlan 10
name “Server”
routing
ip address 192.168.10.1 255.255.255.0
no ip proxy-arp

interface vlan 20
name “Clients”
routing
ip address 192.168.20.1 255.255.255.0
no ip proxy-arp

interface vlan 30
name “Guests”
routing
ip address 192.168.30.1 255.255.255.0
no ip proxy-arp

interface ethernet 1/g1
description “Here is the Cisco router connected”

interface range ethernet 1/g2-1/g10
description “Here are servers connected”
switchport access vlan 10

interface range ethernet 1/g2-11/g20
description “Here are clients connected”
switchport access vlan 20

interface range ethernet 1/g21-1/g24
description “This is for guests”
switchport access vlan 30

Routing is now enabled between your networks. You can also configure access-lists for your vlan interfaces. The following allows the dhcp relay option (ip-helper address pointed to your central DHCP server), blocks connection into other private networks connected to the core switch but let all internet traffic through the interface. We will use this for our guests vlan:

access-list guests_in permit udp any any eq 67
access-list guests_in permit udp any any eq 68
access-list guests_in permit icmp 192.168.30.0 0.0.0.255 192.168.30.1 0.0.0.0
access-list guests_in deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list guests_in deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list guests_in deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list guests_in permit ip 192.168.30.0 0.0.0.255 any

interface vlan 30
ip access-group guests_in in 1

To bring the devices online, we will configure our router like this:

interface GigabitEthernet0/0
description Connect to core switch
ip address 192.168.5.1 255.255.255.252
ip nat inside
ip inspect lan in
ip virtual-reassembly
ip tcp adjust-mss 1452

interface GigabitEthernet0/1
description Connect to service provider
ip address 80.60.50.40 255.255.255.0
ip nat outside

ip access-list extended NAT-ACL
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip 192.168.0.0 0.0.255.255 any

ip nat inside source list NAT-ACL interface GigabitEthernet0/1 overload

ip route 192.168.10.0 255.255.255.0 192.168.5.2
ip route 192.168.20.0 255.255.255.0 192.168.5.2
ip route 192.168.30.0 255.255.255.0 192.168.5.2
ip route 0.0.0.0 0.0.0.0 80.60.50.1

This also works with a Dialer interface as the default gateway. Keep in mind that you need to configure backward routes to the internal networks via the directly connected core switch and always configure access-lists nearest to the source (so every access-list will be configured and bound in the core switch). The nat overload rule is natting all packets beginning with “192.168.”.

For users with HP ProCurve Switches you can take this config:

ip routing

vlan 5
name “Door-to-Internet”
untagged 1
ip address 192.168.5.2 255.255.255.252

vlan 10
name “Server”
untagged 2-10
ip address 192.168.10.1 255.255.255.0

interface vlan 20
name “Clients”
untagged 11-20
ip address 192.168.20.1 255.255.255.0

interface vlan 30
name “Guests”
untagged 21-24
ip address 192.168.30.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip default-gateway 192.168.5.1

in case that you are use the routing feature on a HP ProCurve switch, the “ip default-gateway” needs to be extended with “ip route 0.0….” because this is the gateway for all packets routed by the vlan interfaces.

Feel free to ask and comment this article. I think I will also explain “router on the edge” with a Sophos UTM appliance for beeing the way to the internet :) happy weekend!

The post Router on the edge appeared first on Network Guy.