Scribd Logo
Upload

Welcome to Scribd!

  • 203 views

    Router On A Stick

    Uploaded by

    macfia
    The document describes how to configure a router-on-a-stick network topology using a Cisco router and HP ProCurve switch with three subnets. It provides detailed configuration steps for VLAN trunking between the devices, NAT, DHCP, firewall inspection profiles, and subnet access controls.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Router On A Stick

    Uploaded by

    macfia
    203 views7 pages
    The document describes how to configure a router-on-a-stick network topology using a Cisco router and HP ProCurve switch with three subnets. It provides detailed configuration steps for VLAN trunking between the devices, NAT, DHCP, firewall inspection profiles, and subnet access controls.

    Original Description:

    Router on a Stick

    Original Title

    Router on a Stick

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document describes how to configure a router-on-a-stick network topology using a Cisco router and HP ProCurve switch with three subnets. It provides detailed configuration steps for VLAN trunking between the devices, NAT, DHCP, firewall inspection profiles, and subnet access controls.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    203 views7 pages

    Router On A Stick

    Uploaded by

    macfia
    The document describes how to configure a router-on-a-stick network topology using a Cisco router and HP ProCurve switch with three subnets. It provides detailed configuration steps for VLAN trunking between the devices, NAT, DHCP, firewall inspection profiles, and subnet access controls.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 7

    https://networkguy.de/?

    p=177

    Router on a stick

    Today I will show you how to build a so called “Router-on-a-stick” environment. In this example we have one
    Cisco router, one HP ProCurve switch and three subnets:

    First we configure inspection firewall profiles, so when someone requests packets from the internet, packets
    can come back through our inbound WAN interface access-list

    ip inspect name Marketing tcp


    ip inspect name Marketing udp
    ip inspect name Marketing icmp
    ip inspect name Sales tcp
    ip inspect name Sales udp
    ip inspect name Sales icmp
    ip inspect name Server tcp
    ip inspect name Server udp
    ip inspect name Server icmp
    to access the internet, we need to NAT overload packets going to public IP addresses (in this example we have
    a PPPoE DSL Dialer-Interface)

    ip access-list extended tonat


    deny ip any 10.0.0.0 0.255.255.255
    deny ip any 172.16.0.0 0.15.255.255
    deny ip any 192.168.0.0 0.0.255.255
    permit ip any any

    ip nat inside source list tonat interface Dialer1 overload


    interface Dialer1
    ip nat outside
    ip access-group wan_in in

    ip access-list extended wan_in


    remark Inbound ACL for VPN traffic
    permit ahp any any
    permit esp any any
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    now it’s time to configure subinterfaces on the interface which is connect to our primary HP ProCurve Switch.
    Please let the interface at it’s default settings:

    interface GigabitEthernet0/0
    no ip address
    duplex auto
    speed auto
    now we will configure sub-interfaces on that interface and will tag the IP packets for Sales and Marketing
    subnet

    interface GigabitEthernet0/0.1
    description Server LAN
    encapsulation dot1Q 1 native
    ip address 192.168.15.254 255.255.255.0
    ip nat inside
    ip inspect Server in
    ip virtual-reassembly in
    ip tcp adjust-mss 1452

    interface GigabitEthernet0/0.10
    description Marketing LAN
    encapsulation dot1Q 10
    ip address 192.168.23.254 255.255.255.0
    ip nat inside
    ip inspect Marketing in
    ip virtual-reassembly in
    ip tcp adjust-mss 1452

    interface GigabitEthernet0/0.20
    description Sales LAN
    encapsulation dot1Q 20
    ip address 192.168.54.254 255.255.255.0
    ip nat inside
    ip inspect Sales in
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    we can also configure access-lists on our interfaces to deny packets going between Sales and Marketing
    network but let them go to the server and internet:

    ip access-list extended sales_in


    deny ip 192.168.54.0 0.0.0.255 192.168.23.0 0.0.0.255
    permit ip 192.168.54.0 0.0.0.255 any
    interface GigabitEthernet0/0.20
    ip access-group sales_in in

    ip access-list extended marketing_in


    deny ip 192.168.23.0 0.0.0.255 192.168.54.0 0.0.0.255
    permit ip 192.168.23.0 0.0.0.255 any

    interface GigabitEthernet0/0.10
    ip access-group marketing_in in
    In a Cisco router, the interface configured with the sub-interfaces needs always a native vlan (packets will not
    have any vlan tag). At last step we will configure the HP ProCurve Switch. We take a 2510 with 24-ports

    The port assignment is as follows:


    Port 1-12: VLAN 10 (Marketing LAN)
    Port 13-20: VLAN 20 (Sales LAN)
    Port 21-23: VLAN 1 (Server LAN)
    Port 24: VLAN Trunk (Cisco Router)

    Configuration of the switch:

    vlan 1
    name “Server LAN”
    untagged 21-24
    ip address 192.168.23.250 255.255.255.0 // for management
    no untagged 1-20
    exit
    vlan 10
    name “Marketing LAN”
    untagged 1-12
    tagged 24
    exit
    vlan 20
    name “Sales LAN”
    untagged 13-20
    tagged 24
    exit
    Don’t forget to save the router und switch configuration with “write memory”. Now, you will have a complete

    router-on-a-stick infrastructure. Feel free to ask questions in the comments below


    Michel
    19. March 2014 at 11:18 | Reply

    Hi Mikhail

    thank you! You can configure different DHCP scopes at the cisco router like this:

    ip dhcp pool VLAN1DHCPSCOPE


    network 192.168.1.0 255.255.255.0
    dns-server 8.8.8.8 8.8.4.4
    default-router 192.168.1.1
    domain-name company.local
    lease 2

    ip dhcp excluded-address 192.168.1.1 192.168.1.99


    ip dhcp excluded-address 192.168.1.150 192.168.1.254

    ip dhcp pool VLAN10DHCPSCOPE


    network 192.168.10.0 255.255.255.0
    dns-server 8.8.8.8 8.8.4.4
    default-router 192.168.10.1
    domain-name company.local
    lease 2

    ip dhcp excluded-address 192.168.10.1 192.168.10.99


    ip dhcp excluded-address 192.168.10.150 192.168.10.254

    ip dhcp pool VLAN20DHCPSCOPE


    network 192.168.20.0 255.255.255.0
    dns-server 8.8.8.8 8.8.4.4
    default-router 192.168.20.1
    domain-name company.local
    lease 2

    ip dhcp excluded-address 192.168.20.1 192.168.20.99


    ip dhcp excluded-address 192.168.20.150 192.168.20.254

    The scope will only give IP addresses to clients where the router has a routing interface in it. So
    “VLAN1DHCPSCOPE” will only give IP addresses from 192.168.1.100-149.

    After your configuration you can start the service with “service dhcp” and can watch bindings with “show
    ip dhcp binding”. When you have placed an access-list inbound to a vlan interface, keep in mind that you
    allow ipless bootps packets like this:

    ip access-list extended lan_in


    permit udp any any eq bootps

    Mikhail Magpayo
    19. March 2014 at 12:44 | Reply

    Wow, I didn’t expect such a quick reply thank you!

    You will have to forgive me as I am quite new to Cisco router config and VLANing
    I am used to configuring via web UIs but I am reasonably comfortable with the CLI as I have spent so
    much time trying to work out this configuration in the last couple of weeks.

    Basically, I have a Cisco 881 router and a HP Procurve 2520 series and want to have 2 VLANs . (I
    googled this and your page came up first!)

    Like you explained above. I have 2 VLANs configured with DHCP on the 881

    VLAN1 = Management 10.1.1.0/24


    VLAN2 = Guest 172.1.1.0/24 (completely isolated from VLAN1)

    Cisco 881 FE0 > straight patch HP Procurve Port 24

    When the switch is in default mode with native VLAN1 across 1-24 I get DHCP address fine from the
    10.1.1.0/24 network.

    This is as far as I got as I think I am doing something wrong with the ProCurve Switch or the Cisco 881

    I know FE0 needs to be set up as a trunk 802.1q with sub-interfaces for the 2 VLANs.
    I am unsure if this is has been configured correctly as every tutorial describes the same commands
    (FA0/0.1) this has never worked for this router for some reason, so I am assuming the sub-interfaces
    are assigned to FE0 somehow (a friend of mine said he found a way to do it)

    On the HP ProCurve I know I need to tag port 24 for VLAN1 + VLAN2 for 802.1q

    Ports 3-12 are untagged for VLAN1


    Ports 13-23 are untagged for VLAN2
    Ports 1-2 will have a Ruckus Zone Director and access point. It will have 2 SSIDs one for VLAN1, the
    other for VLAN2 – Im presuming I tag ports 1-2 for VLAN1+VLAN2.

    However when I patch into any port after I have configured the VLANs on the switch I get a self
    assigned IP address of 169.xxx.xxx.xxx and from there I have to default the switch and start again. I was
    thinking it was some kinda of DHCP issue but I don’t think thats the case as I get DHCP when the switch
    is in default and native VLAN across all ports.

    I am at a loss now as very tutorial I have tried does not work.

    I appreciate your response. I will definitely be keeping up with your blog!



    Michel
    19. March 2014 at 14:17 | Reply

    Than your config will be like this:

    ProCurve Switch:

    vlan 1
    untagged 24

    vlan 2
    tagged 24

    Cisco Router:

    default interface FastEthernet0

    interface FastEthernet0.1
    encapsulation dot1Q 1 native
    ip address 10.1.1.x 255.255.255.0

    interface FastEthernet0.2
    encapsulation dot1Q 2
    ip address 172.1.1.x 255.255.255.0

    one vlan interface needs to be native in the cisco router (nativ = no vlan tag on IP packet) so you
    don’t tag on the HP Switch. Only the other VLANs will be tagged (in your example vlan 2).

    Try this and contact me again if it’s working. You can also send me your cisco router and hp switch
    config, it’s the “show run” output. You can find my mail address
    here http://www.google.com/recaptcha/mailhide/d?k=01-
    KfNaX7fWLTHh7BlPfSmYg==&c=Shd3_hwuUfmGT_Kan8Af3LC9KD0pKJALlMKCEy6AVpY=

    wal
    26. August 2014 at 04:24
    Thanks. that helped.
    laposki
    22. April 2014 at 16:58 | Reply
    Can you shed light on my config as well please. Trying to get a Cisco ASA sujb interface to communicate with a
    HP procurve dynamic trunk running wit GVRP. Any ideas


    Michel
    22. April 2014 at 20:15 | Reply

    Hi laposki,

    you can configure subinterfaces like

    asa(config)#interface gigabitethernet0/1.22
    asa(config-if)# vlan 22

    you can also post your anonymised ASA and ProCurve Switch config or you can write me an email. Address
    can be find after typing captcha: http://www.google.com/recaptcha/mailhide/d?k=01-
    KfNaX7fWLTHh7BlPfSmYg==&c=Shd3_hwuUfmGT_Kan8Af3LC9KD0pKJALlMKCEy6AVpY=

    You might also like