Dec 3, 2009

Working with NAT with only one Fast Ethernet Connection

Problem:
One of my customers was not receiving the throughput from his T-1 line. He inquired if I would like to help him solve his problem and I accepted. here is my story and solution. 
Tools:
Cisco 1721 with 1 T1 WIC Card Cisco 3524 EN Switch
Proposed Network Diagram:


The Solution:
I arrived at the location and assessed the situation. My first thought was something was connected in a loop / wrong. I verifed all the connections and I was still receiving slow internet speeds. Next I unplugged the Linksys router and tested directly connected to the Cisco router. Speed are good, connected the Linksys router, speeds are not good. Ok I spoke to the owner and he was very fustrated and he wanted me to fix the issue. So I proposed removing the Linksys router and connecting the Cisco Router to the Cisco switch. I could also configure the router to act at the NAT device with setting the switch up to accept a TRUNK connection, Other switch vendors call this 802.1q or Tagged Vlans.
Our Equipment as follows,Cisco 1721 Router with 1 T1 interface card and 1 Fast Ethernet Card Cisco 3524 Switch
Network Diagram:



The switch was the first because it was the less complicated part of the configuration. Here are my Objectives
  1. Trunk one port to accept 802.1q vlan tagging from the Cisco 1721 router
  2. Set up 2 Vlans, One for the internet routable ip address range configured and one for the private address range for the LAN
  3. Set the ports on the router to either Vlan 2 or Vlan 3
Ok I set port one on the router to trunk here is the configuration for FaseEthernet 0/1
interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk
Ok the next part is a little tricky you need to enter vlan database from the enable prompt (#) This will let you define your vlans
#vlan database
#vlan 2 name outside
#vlan 3 name inside
#exit The exit applies the vlan configuration to the database. Now add some ports to each vlan
interface FastEthernet0/2
switchport access vlan 2
!
interface FastEthernet0/3
switchport access vlan 2
!
interface FastEthernet0/4
switchport access vlan 2
!
interface FastEthernet0/5
switchport access vlan 3
!
interface FastEthernet0/6
switchport access vlan 3
!
interface FastEthernet0/7
switchport access vlan 3
!
interface FastEthernet0/8
switchport access vlan 3
!
interface FastEthernet0/9
switchport access vlan 3
Ok write the configuration you are complete here
The router configuration is more complicated
Here are my objectives.
  1. Set the router’s Fast Ethernet interface to accept 802.1q
  2. Set up 2 sub interfaces, one for each subnet
  3. Set up NAT for internal LAN
  4. Set up DHCP for the Internal LAN
I need to set up the FastEthernet port with sub interfaces. This requires me to issue the “no ip address” command to clear any ip address of FastEthernet0.
Now I just create each sub interface for Vlan 2

interface FastEthernet0.2
description Outside-IF
encapsulation dot1Q 2
ip address XXX.XXX.XXX.177 255.255.255.240 
Vlan 3
interface FastEthernet0.3
description Inside-IF
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
Ok we need to set NAT on the router this is achieved by setting a pool of IP address for the inside or non-routable IP address to use to access the Internet. I would like to source all my NAT from the ip address XXX.XXX.XXX.179
ip nat pool rtr-ovrload XXX.XXX.XXX.179 XXX.XXX.XXX.179 netmask 255.255.255.240
ip nat inside source list 1 pool rtr-ovrload overload
Now we need to set an access list to define which IP addresses are translated
access-list 1 permit 192.168.1.0 0.0.0.255
We need to set the interfaces which have the inside and outside NAT translations Interface Virtual-Template1
Ip nat outside Interface FastEthernet0.3
Ip nat inside
All complete. Just test with the ping command, debug ip nat translations, traceroute
Following the complete configuration of each component
Cisco 1721 
!
version 12.3
service timestamps debug date time msec
service timestamps log date time msec
service password-encryption
!
hostname 1721
!
boot-start-marker
boot-end-marker
!
enable secret 5 enable-password
!
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.2 192.168.1.200
!
ip dhcp pool inside-lan
network 192.168.1.0 255.255.255.0
domain-name dslinmaryland.com
default-router 192.168.1.1
dns-server X.X.X.X X.X.X.X
!
!
ip cef
no ip domain lookup
!
!
!
!
interface FastEthernet0
no ip address
speed 100
full-duplex
no keepalive
!
interface FastEthernet0.2
description Outside-IF
encapsulation dot1Q 2
ip address X.X.X.177 255.255.255.240
!
interface FastEthernet0.3
description Inside-IF
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0
no ip address
encapsulation frame-relay IETF
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-Template1
ip address negotiated
ip nat outside
ip virtual-reassembly
ppp chap hostname myhost
ppp chap password 7 mypassword
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
ip classless
no ip http server
!
ip nat pool rtr-ovrload X.X.X.179 X.X.X.179 netmask 255.255.255.240
ip nat inside source list 1 pool rtr-ovrload overload
!
access-list 1 permit 192.168.1.0 0.0.0.255

!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7 telnetpassword
login
!
end
Below is the 3524 Switch Configuration
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname sw-govtloans
!
enable password 7 enable-password
!
!
!
ip subnet-zero
!
!
interface FastEthernet0/1
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 2
!
interface FastEthernet0/3
switchport access vlan 2
!
interface FastEthernet0/4
switchport access vlan 2
!
interface FastEthernet0/5
switchport access vlan 3
!
interface FastEthernet0/6
switchport access vlan 3
!
interface FastEthernet0/7
switchport access vlan 3
!
interface FastEthernet0/8
switchport access vlan 3
!
interface FastEthernet0/9
switchport access vlan 3
!
interface FastEthernet0/10
switchport access vlan 3
!
interface FastEthernet0/11
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/12
!
interface FastEthernet0/13
switchport access vlan 3
!
interface FastEthernet0/14
switchport access vlan 3
!
interface FastEthernet0/15
switchport access vlan 3
!
interface FastEthernet0/16
switchport access vlan 3
!
interface FastEthernet0/17
switchport access vlan 3
!
interface FastEthernet0/18
switchport access vlan 3
!
interface FastEthernet0/19
switchport access vlan 3
!
interface FastEthernet0/20
switchport access vlan 3
!
interface FastEthernet0/21
switchport access vlan 3
!
interface FastEthernet0/22
switchport access vlan 3
!
interface FastEthernet0/23
switchport access vlan 3
!
interface FastEthernet0/24
switchport access vlan 3
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN3
ip address 192.168.1.254 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
!
line con 0
transport input none
stopbits 1
line vty 5 15
password 7 telnetpassword
login
!
end





at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)