Good morning everyone! Today I want to explain a configuration for routing internal networks with a layer 3 routing switch and a router for accessing the internet. I call it “router on the edge”. The definition “edge router” is typically a router running EBGP (External Border Gateway Protocol) so I invent a new definition :)
“Router on the edge” is different to “Router on a stick”. The cable-connects are the same but here we will route internal networks with a fast layer 3 switch.
In my example I will configure a Cisco router and a Dell switch as our core-routing-switch. I will also add code for a HP ProCurve switch. First we will plan our current network with three vlans:
VLAN 5 (Door to the Internet)
VLAN 10 (Servers)
VLAN 20 (Clients)
VLAN 30 (Guests)
I don’t use default VLAN 1 because in case of a forgotten non-tagged port, the device connected to it, will be in this VLAN. Now we will configure the Dell switch with several VLANs. I choose three /24 Class C networks and a /30 network between the core switch and the Cisco router (192.168.5.1):
vlan database
vlan 5,10,20,30ip routing
ip route 0.0.0.0 0.0.0.0 192.168.5.1interface vlan 5
name “Door-to-Internet”
routing
ip address 192.168.5.2 255.255.255.252
no ip proxy-arpinterface vlan 10
name “Server”
routing
ip address 192.168.10.1 255.255.255.0
no ip proxy-arpinterface vlan 20
name “Clients”
routing
ip address 192.168.20.1 255.255.255.0
no ip proxy-arpinterface vlan 30
name “Guests”
routing
ip address 192.168.30.1 255.255.255.0
no ip proxy-arpinterface ethernet 1/g1
description “Here is the Cisco router connected”interface range ethernet 1/g2-1/g10
description “Here are servers connected”
switchport access vlan 10interface range ethernet 1/g2-11/g20
description “Here are clients connected”
switchport access vlan 20interface range ethernet 1/g21-1/g24
description “This is for guests”
switchport access vlan 30
Routing is now enabled between your networks. You can also configure access-lists for your vlan interfaces. The following allows the dhcp relay option (ip-helper address pointed to your central DHCP server), blocks connection into other private networks connected to the core switch but let all internet traffic through the interface. We will use this for our guests vlan:
access-list guests_in permit udp any any eq 67
access-list guests_in permit udp any any eq 68
access-list guests_in permit icmp 192.168.30.0 0.0.0.255 192.168.30.1 0.0.0.0
access-list guests_in deny ip 192.168.30.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list guests_in deny ip 192.168.30.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list guests_in deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list guests_in permit ip 192.168.30.0 0.0.0.255 anyinterface vlan 30
ip access-group guests_in in 1
To bring the devices online, we will configure our router like this:
interface GigabitEthernet0/0
description Connect to core switch
ip address 192.168.5.1 255.255.255.252
ip nat inside
ip inspect lan in
ip virtual-reassembly
ip tcp adjust-mss 1452interface GigabitEthernet0/1
description Connect to service provider
ip address 80.60.50.40 255.255.255.0
ip nat outsideip access-list extended NAT-ACL
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip 192.168.0.0 0.0.255.255 anyip nat inside source list NAT-ACL interface GigabitEthernet0/1 overload
ip route 192.168.10.0 255.255.255.0 192.168.5.2
ip route 192.168.20.0 255.255.255.0 192.168.5.2
ip route 192.168.30.0 255.255.255.0 192.168.5.2
ip route 0.0.0.0 0.0.0.0 80.60.50.1
This also works with a Dialer interface as the default gateway. Keep in mind that you need to configure backward routes to the internal networks via the directly connected core switch and always configure access-lists nearest to the source (so every access-list will be configured and bound in the core switch). The nat overload rule is natting all packets beginning with “192.168.”.
For users with HP ProCurve Switches you can take this config:
ip routing
vlan 5
name “Door-to-Internet”
untagged 1
ip address 192.168.5.2 255.255.255.252vlan 10
name “Server”
untagged 2-10
ip address 192.168.10.1 255.255.255.0interface vlan 20
name “Clients”
untagged 11-20
ip address 192.168.20.1 255.255.255.0interface vlan 30
name “Guests”
untagged 21-24
ip address 192.168.30.1 255.255.255.0ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip default-gateway 192.168.5.1
in case that you are use the routing feature on a HP ProCurve switch, the “ip default-gateway” needs to be extended with “ip route 0.0….” because this is the gateway for all packets routed by the vlan interfaces.
Feel free to ask and comment this article. I think I will also explain “router on the edge” with a Sophos UTM appliance for beeing the way to the internet :) happy weekend!
7 Responses
Hi Michel, did you ever get round to doing this with a Sophos UTM instead of a Cisco router?
Do you think the best method is this router on edge or the router on a stick?
Thanks!
Ross
Hi Ross,
yeah of course, when you have a lots of traffic within your network-vlans, you can do routing with a layer 3 switch and secure the way to the internet with a Sophos UTM.
Hi Michel,
Ok great, much appreciated thanks for the reply.
Hi, I have a EdgeRouter Lite and a 1910-8G. I would like to use this setup with Sophos UTM on way in and out of the internet (WAN). Do you know if this is possible?
Of course this is possible. But you need an IP-Gateway to do this, you can’t do PPPoE and VLAN on 1 Interface. Just create different VLAN Interfaces on the 1 hardware network card and on one interface you configure a gateway.
Michel…thank you first of all for the quickest reply.
I apologize if I am not fully understanding, however I thought the Sophos would do this, i.e. bridge to the modem and get ISP IP via DHCP – wouldn’t that in effect be the IP-Gateway? I plan to run Sophos UTM on a VM and have a dual-port network card passed to it, one for WAN and the other to the ERL router.
Than it is very easy, one interface is your internal network and one is for the WAN (click the checkbox “Dynamic IP” and “IPv4 Default GW”.