Hello everyone and welcome to this new series on designing and building Cisco networks. In this series, we will explore most of the concepts we have learned in other articles and put them together to build a fully functional Cisco network. For each article in this series, we will set out to accomplish a design goal and we will explore all the tools needed to accomplish the goal. Our design goal for this article is to build a single site network with the following requirements;
Three segments for users, management, and guests with about 12 users each.
Automatic addressing and VLAN assignment for the segments.
Routing between the three segments.
Internet connectivity of all three segments.
You have been provided with a 48-port layer-2 switch and a Cisco router with two fast Ethernet ports.
Your mission, should you choose to accept it is to setup the network to meet the requirements above. You may begin. J
Requirement one: three segments for users, management, and guests with about 12 users each.
First, let us consider the physical topology: We have a 48-port switch and we need three networks of two users each. This means all three networks would be on the same L-2 switch. So how do we separate broadcast domains (networks) on a layer-2 switch? We use VLANS. We will talk about more about VLANS in a moment. Let’s think about IP addressing for a minute. You can review details of IP addressing in this post.
For 12 users, the closest block size number is 16, which is /28. So, assuming we decide to use the 192.168.2.0 class C network, we would subnet that into 3 /28 networks. We can also decide to assign the first usable IP address in each subnet to the default gateway. The first 3 /28 networks in that range are:
192.168.2.0/28—users (default gateway is 192.168.2.1)
192.168.2.16/28—management (default gateway is 192.168.2.17) and
192.168.2.32/28—guests (default gateway is 192.168.2.33)
That should be all for requirement 1. Now let us take a look at the second requirement.
Automatic addressing and VLAN assignment for the segments
The first part of the second requirement deals with automatic addressing. What technology do we use for automatic IP addressing? Dynamic host configuration protocol (DHCP). Remember our post on DHCP? You can review it here. For our scenario, we need to configure a device as the DHCP server. In this case, we only have one option, the Cisco router. We will create three DHCP pools on the router (one for each of the departments). The DHCP configuration parameters are shown below:
|Default – Router||192.168.2.1||192.168.2.17||192.168.2.33|
The DHCP Configuration is shown below;
I know what you are thinking: How does the router decide which pool to assign an address from? How do we ensure that someone on the users’ network does not get assigned an admin network? Well, good question. The router would have interfaces (or sub-interfaces in this case) in each of the segments. Since a DHCP request is a broadcast, the router receives each request on the interface that is connected to that network. The router then uses the subnet of the interface to determine which IP address pool to assign to the client. This way, there is no confusion.
The second part of the requirement deals with VLAN Assignments. For VLAN assignment, we need to configure the switch to support VLANs. The first thing to do here is to create the VLANs. To create VLANS, we use the vlan command. We would create the VLANs as shown below;
switch# configure terminal switch(config)# vlan 10 switch(config-vlan)# name users switch(config-vlan)#exit switch(config)# switch(config)# vlan 20 switch(config-vlan)# name admin switch(config-vlan)#exit switch(config)# switch(config)# vlan 30 switch(config-vlan)# name guest
After creating the VLANs, the next step is to assign the ports on the switch to a VLAN. We will assign VLANs based on the scheme below:
* Ports Fa0/1 to F0/12 – Vlan 10 (Users)
* Ports Fa0/13 to F0/24 – Vlan 10 (Users)
* Ports Fa0/25 to F0/36 – Vlan 10 (Users)
The configuration is shown below:
switch# configure terminal switch(config)# interface range F0/1 - 12 switch(config-if)# switchport mode access switch(config-if)# switchport access vlan 10 switch(config-if)#exit switch(config)# switch(config)# interface range F0/13 - 24 switch(config-if)# switchport mode access switch(config-if)# switchport access vlan 20 switch(config-if)#exit switch(config)# switch(config)# interface range F0/25 - 36 switch(config-if)# switchport mode access switch(config-if)# switchport access vlan 30 switch(config-if)#exit
Notice the interface range command? This command is used when you need to configure many interfaces with the same parameters at the same time. Imagine how much work we would have had to do to configure each of the 36 interfaces one by one. Pretty cool, right?
Assuming our router is connected to the switch on port Fa0/0, what VLAN do we place that port on? Since the router has to have access to all the VLANs, we need to configure F0/0 as a trunk port. To do this, we first set the encapsulation to 802.1q and then set the switchport mode to trunk.
switch(config)# interface range F0/0 switch(config-vlan)# switchport trunk encapsulation dot1q switch(config-vlan)# switchport mode trunk switch(config-vlan)#exit
The third requirement is to enable routing among the three segments. To enable routing, we need to consider a few things. First, we know that each VLAN is a separate broadcast domain and we need routing to enable communication between broadcast domains. Routing is implemented using a layer-3 device (in this case, a router). To route between domains, the router should have an interface in each broadcast domain. In this case we have only two interfaces (and we have to use one for our external connection to the ISP). So what do we do? Well we route using only one physical interface. The trick here is to use sub-interfaces. This concept is called router-on-a-stick. Before we move on to the configuration details to do this, let’s look at the physical and logical diagrams for our networks shown below:
To configure router sub-interfaces you use the dot (.) keyword. So for you can say “interface f0/0.10” to create sub-interface 10 under physical interface Fast Ethernet 0/0. Our configuration details for the sub interfaces are shown below:
Sub-interface 10: VLAN 10, using 802.1q encapsulation with IP address 192.168.2.1
Sub-interface 20: VLAN 20, using 802.1q encapsulation with IP address 192.168.2.17
Sub-interface 30: VLAN 30, using 802.1q encapsulation with IP address 192.168.2.33
The configuration of the router is shown below:
The “encapsulation dot1q vlan” command tells the interface to expect frames that are tagged as VLAN 10 frames using the 802.1q encapsulation. This command essentially places that sub-interface in VLAN 10. For each sub-interface to work, you must issue the encapsulation sub-interface command.
Note: On the switch end of this configuration, you must have set the interface to trunk and you must ensure that all the VLANs corresponding to the sub interfaces are allowed on the trunk. Also, you must ensure that the trunk encapsulation matches on the switch and on the router. If you do all of these things, your router-on-a-stick solution should work without any problems.
Let us take a look at the routing table of the router to see if the three networks are installed:
Sure enough, we have all three /28 networks installed in the routing table. For more information on IP routing, please review the post on static and connected IP routing here.
So how do we test? We will connect a user to the admin VLAN (20) and test to see if we can obtain an ip address and if we can reach the users’ VLAN.
Let’s quickly set up a router as a DHCP client to test:
Sure enough, the ADMIN gets a DHCP address (192.168.2.19) from the DHCP server.
Now let us try to ping the user VLAN from the admin VLAN.
Success! There is connectivity between the two VLANs. Just to confirm that the routing is being done by the router, we can issue a trace from the ADMIN user:
We can see that the trace goes up to VLAN 20’s default gateway (192.168.2.17) before reaching the VLAN 10 IP address. So our router-on-a-stick configuration is working as planned. Easy peasy!
However, this network is only good enough to share resources among the office; there is still no access to the Internet. So let’s get that sorted.
To connect the site to the Internet, we need to apply three technologies. You can revise the technologies here:
First we need to set up routing to the ISP network. To do this, we need information from the ISP. Assuming that we have these parameters from the ISP:
IP Addresses: 184.108.40.206/29
Gateway: 220.127.116.11 (Customer Premise Equipment)
The first step is to configure the outside interface to the IP address that was assigned by the ISP
Since the CPE (customer premise equipment) has an IP address of 18.104.22.168, we would assign the next address to the router.
Next is to set up a static default route pointing to the CPE. (41.49.6233):
Now the router should be able to reach the Internet. However, the networks behind the router (Guest, admin and users) cannot reach the Internet because they have private IP addressing which is not being routed to the Internet. So we need to setup NAT in order to translate the private IP addresses to the ISP’s public IP addresses. We can set up NAT using a four-step process:
Configure NAT interfaces
Configure NAT access list
Configure NAT pool
Configure NAT statement
To set up the NAT interfaces, we need to identify the inside and outside interfaces. In this case, the outside NAT interface is the Fast Ethernet 0/1 interface:
Similarly, you should apply the ip nat inside command to all the subinterfaces on R1.
Next, we should set up the NAT access-list; from our IP address scheme, we have three /28 addresses. Our NAT access list would be:
The next step in setting up NAT is to define the NAT pool. In this case, we have four more usable addresses from the ISP, which are 22.214.171.124, 126.96.36.199, 188.8.131.52 and 184.108.40.206 (220.127.116.11 is the broadcast address). So we set up the pool as shown below:
The final step in the NAT configuration is configuring the NAT statement:
The NAT statement says that if source IP address of traffic arriving at the inside interface matches access list NAT, then the source IP address should be translated to an address in the NAT pool. The overload command allows multiple addresses to be translated into a single address by changing the port numbers of the packets.
After setting up NAT, users on the inside network would be able to reach the Internet. A ping capture is shown below:
So we have met all the requirements that we set out to meet at the beginning of this article. The network is ready for sharing resources and all is well with the world. In order to do this, we have drawn from our knowledge of IP addressing, subnetting, switch ports, and VLANs configurations, DHCP, access-lists, and NAT and we have even explored a new concept of routing-on-a-stick! That’s awesome, right? Yeah, I thought so too. J
In the next post in this series, we will explore how to troubleshoot faults on the network using the OSI model as a troubleshooting guide.
Thank you for reading! I hope you have enjoyed this article and that you learned something useful, both for the exam and for the real world. Do not forget to drop your thoughts and answers in the comments section. See you soon!