Complete CCNA-level guide for configuring Cisco router as NAT gateway with Metro Ethernet connectivity and VLAN segmentation. Step-by-step configuration for enterprise network deployment with security best practices.
Cisco Router NAT Configuration Guide for Metro Ethernet with VLANs
Table of Contents
- Overview
- Prerequisites
- Network Topology
- Initial Router Configuration
- WAN Interface Configuration
- VLAN Configuration
- NAT Configuration
- DHCP Configuration
- Security Configuration
- Verification and Troubleshooting
Overview
This guide provides a complete, step-by-step configuration for setting up a Cisco router as a NAT gateway connecting to Metro Ethernet internet service with VLAN segmentation. This configuration is suitable for small to medium business environments.
What you will achieve:
- Connect to Metro Ethernet service provider
- Configure NAT/PAT for internet access
- Implement VLAN segmentation for network organization
- Configure DHCP services
- Implement basic security measures
Prerequisites
Hardware Requirements
- Cisco router (ISR series: 1900, 2900, 3900, or 4000 series recommended)
- Layer 2/3 switch with VLAN support
- Console cable for initial configuration
- Ethernet cables
Software Requirements
- Cisco IOS version 15.0 or higher
- Terminal emulation software (PuTTY, SecureCRT, or Tera Term)
Information Needed from ISP
- Metro Ethernet connection type (typically Ethernet handoff)
- IP address allocation (static or DHCP)
- Subnet mask
- Default gateway
- DNS servers
- VLAN ID (if required by ISP)
Network Planning
- Internal IP addressing scheme
- VLAN structure and numbering
- NAT pool (if using dynamic NAT)
Network Topology
Internet (Metro Ethernet)
|
| (ISP VLAN - if required)
|
[WAN Port] - GigabitEthernet0/0/0
|
Cisco Router (NAT Gateway)
|
[LAN Port] - GigabitEthernet0/0/1 (Trunk)
|
Layer 2/3 Switch
|
+----+----+----+
| | | |
VLAN VLAN VLAN VLAN
10 20 30 99
| | | |
Users Voice Guests Mgmt
Sample Network Design:
- VLAN 10: Corporate Users (192.168.10.0/24)
- VLAN 20: Voice/VoIP (192.168.20.0/24)
- VLAN 30: Guest Network (192.168.30.0/24)
- VLAN 99: Management (192.168.99.0/24)
- WAN: Provided by ISP (e.g., 203.0.113.0/30)
Initial Router Configuration
Step 1: Connect to the Router
- Connect console cable from your PC to the router's console port
- Open terminal emulation software with these settings:
- Baud rate: 9600
- Data bits: 8
- Parity: None
- Stop bits: 1
- Flow control: None
Step 2: Enter Privileged Mode
Router> enable
Router#
Step 3: Enter Global Configuration Mode
Router# configure terminal
Router(config)#
Step 4: Set Hostname
Router(config)# hostname CompanyRouter
CompanyRouter(config)#
Step 5: Secure the Router
! Set enable secret password
CompanyRouter(config)# enable secret Str0ngP@ssw0rd!
! Configure console password
CompanyRouter(config)# line console 0
CompanyRouter(config-line)# password C0ns0leP@ss
CompanyRouter(config-line)# login
CompanyRouter(config-line)# logging synchronous
CompanyRouter(config-line)# exec-timeout 5 0
CompanyRouter(config-line)# exit
! Configure VTY lines (Telnet/SSH)
CompanyRouter(config)# line vty 0 4
CompanyRouter(config-line)# password VtyP@ssw0rd
CompanyRouter(config-line)# login local
CompanyRouter(config-line)# transport input ssh
CompanyRouter(config-line)# exec-timeout 10 0
CompanyRouter(config-line)# exit
! Create administrative user
CompanyRouter(config)# username admin privilege 15 secret Adm1nP@ss!
Step 6: Configure SSH
! Set domain name (required for SSH)
CompanyRouter(config)# ip domain-name company.local
! Generate RSA key pair
CompanyRouter(config)# crypto key generate rsa modulus 2048
! Configure SSH version 2
CompanyRouter(config)# ip ssh version 2
CompanyRouter(config)# ip ssh time-out 60
CompanyRouter(config)# ip ssh authentication-retries 3
Step 7: Configure Basic Services
! Disable unused services
CompanyRouter(config)# no ip http server
CompanyRouter(config)# no ip http secure-server
CompanyRouter(config)# no cdp run
CompanyRouter(config)# no ip source-route
! Enable service timestamps
CompanyRouter(config)# service timestamps debug datetime msec
CompanyRouter(config)# service timestamps log datetime msec
! Enable password encryption
CompanyRouter(config)# service password-encryption
! Configure banner
CompanyRouter(config)# banner motd #
****************************************************
* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
* All connections are monitored and recorded
* Disconnect IMMEDIATELY if you are not authorized
****************************************************
#
WAN Interface Configuration
Scenario A: Static IP from ISP (Most Common)
! Configure WAN interface with static IP
CompanyRouter(config)# interface GigabitEthernet0/0/0
CompanyRouter(config-if)# description WAN - Metro Ethernet Connection
CompanyRouter(config-if)# ip address 203.0.113.2 255.255.255.252
CompanyRouter(config-if)# ip nat outside
CompanyRouter(config-if)# no shutdown
CompanyRouter(config-if)# exit
! Configure default route
CompanyRouter(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1
Scenario B: ISP Requires VLAN Tagging
! Create subinterface for ISP VLAN
CompanyRouter(config)# interface GigabitEthernet0/0/0
CompanyRouter(config-if)# description WAN - Physical Interface
CompanyRouter(config-if)# no ip address
CompanyRouter(config-if)# no shutdown
CompanyRouter(config-if)# exit
CompanyRouter(config)# interface GigabitEthernet0/0/0.100
CompanyRouter(config-subif)# description WAN - Metro Ethernet VLAN 100
CompanyRouter(config-subif)# encapsulation dot1Q 100
CompanyRouter(config-subif)# ip address 203.0.113.2 255.255.255.252
CompanyRouter(config-subif)# ip nat outside
CompanyRouter(config-subif)# exit
! Configure default route
CompanyRouter(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1
Scenario C: DHCP from ISP (Less Common)
! Configure WAN interface for DHCP
CompanyRouter(config)# interface GigabitEthernet0/0/0
CompanyRouter(config-if)# description WAN - Metro Ethernet DHCP
CompanyRouter(config-if)# ip address dhcp
CompanyRouter(config-if)# ip nat outside
CompanyRouter(config-if)# no shutdown
CompanyRouter(config-if)# exit
! Configure default route (automatically created by DHCP)
! Verify with: show ip route
Configure DNS
! Configure DNS servers (use ISP provided or public DNS)
CompanyRouter(config)# ip name-server 8.8.8.8 8.8.4.4
! Enable DNS lookup (usually enabled by default)
CompanyRouter(config)# ip domain-lookup
VLAN Configuration
Step 1: Configure Trunk Port on Router
! Configure LAN interface as trunk
CompanyRouter(config)# interface GigabitEthernet0/0/1
CompanyRouter(config-if)# description LAN - Trunk to Core Switch
CompanyRouter(config-if)# no ip address
CompanyRouter(config-if)# no shutdown
CompanyRouter(config-if)# exit
Step 2: Create VLAN Subinterfaces
! VLAN 10 - Corporate Users
CompanyRouter(config)# interface GigabitEthernet0/0/1.10
CompanyRouter(config-subif)# description VLAN 10 - Corporate Users
CompanyRouter(config-subif)# encapsulation dot1Q 10
CompanyRouter(config-subif)# ip address 192.168.10.1 255.255.255.0
CompanyRouter(config-subif)# ip nat inside
CompanyRouter(config-subif)# exit
! VLAN 20 - Voice/VoIP
CompanyRouter(config)# interface GigabitEthernet0/0/1.20
CompanyRouter(config-subif)# description VLAN 20 - Voice
CompanyRouter(config-subif)# encapsulation dot1Q 20
CompanyRouter(config-subif)# ip address 192.168.20.1 255.255.255.0
CompanyRouter(config-subif)# ip nat inside
CompanyRouter(config-subif)# exit
! VLAN 30 - Guest Network
CompanyRouter(config)# interface GigabitEthernet0/0/1.30
CompanyRouter(config-subif)# description VLAN 30 - Guest Network
CompanyRouter(config-subif)# encapsulation dot1Q 30
CompanyRouter(config-subif)# ip address 192.168.30.1 255.255.255.0
CompanyRouter(config-subif)# ip nat inside
CompanyRouter(config-subif)# exit
! VLAN 99 - Management
CompanyRouter(config)# interface GigabitEthernet0/0/1.99
CompanyRouter(config-subif)# description VLAN 99 - Management
CompanyRouter(config-subif)# encapsulation dot1Q 99
CompanyRouter(config-subif)# ip address 192.168.99.1 255.255.255.0
CompanyRouter(config-subif)# exit
Step 3: Configure Switch (Basic VLAN Setup)
! On the Layer 2 Switch
Switch> enable
Switch# configure terminal
! Create VLANs
Switch(config)# vlan 10
Switch(config-vlan)# name Corporate
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name Voice
Switch(config-vlan)# exit
Switch(config)# vlan 30
Switch(config-vlan)# name Guest
Switch(config-vlan)# exit
Switch(config)# vlan 99
Switch(config-vlan)# name Management
Switch(config-vlan)# exit
! Configure trunk port to router
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# description Trunk to Router
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30,99
Switch(config-if)# switchport trunk native vlan 999
Switch(config-if)# no shutdown
Switch(config-if)# exit
! Configure access ports (example)
Switch(config)# interface range GigabitEthernet0/2-10
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# spanning-tree portfast
Switch(config-if-range)# exit
! Configure management VLAN
Switch(config)# interface vlan 99
Switch(config-if)# ip address 192.168.99.10 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# ip default-gateway 192.168.99.1
NAT Configuration
Step 1: Configure NAT Pool (Optional - for Dynamic NAT)
! Create NAT pool (if you have multiple public IPs)
CompanyRouter(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.240
Step 2: Configure Access Control List
! Create ACL to define inside networks allowed to NAT
CompanyRouter(config)# access-list 1 remark Corporate Users
CompanyRouter(config)# access-list 1 permit 192.168.10.0 0.0.0.255
CompanyRouter(config)# access-list 1 remark Voice VLAN
CompanyRouter(config)# access-list 1 permit 192.168.20.0 0.0.0.255
CompanyRouter(config)# access-list 1 remark Guest Network
CompanyRouter(config)# access-list 1 permit 192.168.30.0 0.0.0.255
! Alternative: Use extended ACL for more granular control
CompanyRouter(config)# ip access-list extended NAT_INTERNAL
CompanyRouter(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 any
CompanyRouter(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any
CompanyRouter(config-ext-nacl)# permit ip 192.168.30.0 0.0.0.255 any
CompanyRouter(config-ext-nacl)# exit
Step 3: Configure NAT Overload (PAT)
Method A: NAT Overload with Interface (Most Common)
! Configure NAT overload using outside interface
CompanyRouter(config)# ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
Method B: NAT Overload with Pool
! Configure NAT overload using IP pool
CompanyRouter(config)# ip nat inside source list 1 pool PUBLIC_POOL overload
Step 4: Configure Static NAT (For Servers)
! Example: Map internal web server to public IP
CompanyRouter(config)# ip nat inside source static 192.168.10.50 203.0.113.5
! Example: Port forwarding (PAT) for specific services
CompanyRouter(config)# ip nat inside source static tcp 192.168.10.50 80 203.0.113.2 80
CompanyRouter(config)# ip nat inside source static tcp 192.168.10.50 443 203.0.113.2 443
CompanyRouter(config)# ip nat inside source static tcp 192.168.10.51 3389 203.0.113.2 3389
Step 5: Configure NAT for VPN Passthrough (Optional)
! Allow VPN protocols through NAT
CompanyRouter(config)# ip nat inside source static esp 192.168.10.100 203.0.113.2
CompanyRouter(config)# ip nat inside source static udp 192.168.10.100 500 203.0.113.2 500
CompanyRouter(config)# ip nat inside source static udp 192.168.10.100 4500 203.0.113.2 4500
DHCP Configuration
Step 1: Exclude Static IP Addresses
! Exclude gateway and static assignments
CompanyRouter(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.50
CompanyRouter(config)# ip dhcp excluded-address 192.168.20.1 192.168.20.10
CompanyRouter(config)# ip dhcp excluded-address 192.168.30.1 192.168.30.10
CompanyRouter(config)# ip dhcp excluded-address 192.168.99.1 192.168.99.50
Step 2: Create DHCP Pools
! DHCP Pool for VLAN 10 - Corporate Users
CompanyRouter(config)# ip dhcp pool VLAN10_CORPORATE
CompanyRouter(dhcp-config)# network 192.168.10.0 255.255.255.0
CompanyRouter(dhcp-config)# default-router 192.168.10.1
CompanyRouter(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
CompanyRouter(dhcp-config)# domain-name company.local
CompanyRouter(dhcp-config)# lease 7
CompanyRouter(dhcp-config)# exit
! DHCP Pool for VLAN 20 - Voice
CompanyRouter(config)# ip dhcp pool VLAN20_VOICE
CompanyRouter(dhcp-config)# network 192.168.20.0 255.255.255.0
CompanyRouter(dhcp-config)# default-router 192.168.20.1
CompanyRouter(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
CompanyRouter(dhcp-config)# option 150 ip 192.168.20.5
CompanyRouter(dhcp-config)# lease 7
CompanyRouter(dhcp-config)# exit
! DHCP Pool for VLAN 30 - Guest Network
CompanyRouter(config)# ip dhcp pool VLAN30_GUEST
CompanyRouter(dhcp-config)# network 192.168.30.0 255.255.255.0
CompanyRouter(dhcp-config)# default-router 192.168.30.1
CompanyRouter(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
CompanyRouter(dhcp-config)# lease 0 2
CompanyRouter(dhcp-config)# exit
Step 3: Disable DHCP Conflict Logging (Optional)
! Reduce logging for DHCP conflicts
CompanyRouter(config)# no ip dhcp conflict logging
Security Configuration
Step 1: Configure Access Control Lists (ACLs)
! Block private addresses from WAN
CompanyRouter(config)# ip access-list extended BLOCK_PRIVATE_WAN
CompanyRouter(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
CompanyRouter(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
CompanyRouter(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
CompanyRouter(config-ext-nacl)# permit ip any any
CompanyRouter(config-ext-nacl)# exit
! Apply ACL to WAN interface
CompanyRouter(config)# interface GigabitEthernet0/0/0
CompanyRouter(config-if)# ip access-group BLOCK_PRIVATE_WAN in
CompanyRouter(config-if)# exit
! Guest network isolation (prevent access to internal networks)
CompanyRouter(config)# ip access-list extended GUEST_FILTER
CompanyRouter(config-ext-nacl)# deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
CompanyRouter(config-ext-nacl)# deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
CompanyRouter(config-ext-nacl)# deny ip 192.168.30.0 0.0.0.255 192.168.99.0 0.0.0.255
CompanyRouter(config-ext-nacl)# permit ip 192.168.30.0 0.0.0.255 any
CompanyRouter(config-ext-nacl)# exit
! Apply ACL to Guest VLAN interface
CompanyRouter(config)# interface GigabitEthernet0/0/1.30
CompanyRouter(config-subif)# ip access-group GUEST_FILTER in
CompanyRouter(config-subif)# exit
Step 2: Configure TCP Intercept (Anti-DDoS)
! Enable TCP intercept for SYN flood protection
CompanyRouter(config)# ip tcp intercept mode watch
CompanyRouter(config)# ip tcp intercept watch-timeout 30
CompanyRouter(config)# ip tcp intercept max-incomplete high 1000
Step 3: Configure Unicast RPF
! Enable Unicast Reverse Path Forwarding on WAN interface
CompanyRouter(config)# interface GigabitEthernet0/0/0
CompanyRouter(config-if)# ip verify unicast source reachable-via rx
CompanyRouter(config-if)# exit
Step 4: Disable Unused Interfaces
! Shutdown unused interfaces
CompanyRouter(config)# interface range GigabitEthernet0/0/2-3
CompanyRouter(config-if-range)# shutdown
CompanyRouter(config-if-range)# exit
Step 5: Configure Logging
! Configure logging
CompanyRouter(config)# logging buffered 16384 informational
CompanyRouter(config)# logging console warnings
CompanyRouter(config)# logging trap notifications
! Configure syslog server (optional)
CompanyRouter(config)# logging host 192.168.99.100
Step 6: Configure NTP
! Configure NTP for accurate time
CompanyRouter(config)# ntp server 216.239.35.0
CompanyRouter(config)# ntp server 216.239.35.4
CompanyRouter(config)# clock timezone EST -5
CompanyRouter(config)# clock summer-time EDT recurring
Verification and Troubleshooting
Basic Verification Commands
! Check interface status
CompanyRouter# show ip interface brief
! Verify NAT translations
CompanyRouter# show ip nat translations
CompanyRouter# show ip nat statistics
! Check routing table
CompanyRouter# show ip route
! Verify VLAN configuration
CompanyRouter# show vlans
CompanyRouter# show ip interface
! Check DHCP bindings
CompanyRouter# show ip dhcp binding
CompanyRouter# show ip dhcp pool
! Verify ACLs
CompanyRouter# show access-lists
CompanyRouter# show ip access-lists
! Check NAT configuration
CompanyRouter# show running-config | section nat
! View interface statistics
CompanyRouter# show interfaces GigabitEthernet0/0/0
CompanyRouter# show interfaces GigabitEthernet0/0/1
! Check for interface errors
CompanyRouter# show interfaces | include error
! Verify DNS configuration
CompanyRouter# show running-config | include name-server
Connectivity Testing
! Test internet connectivity from router
CompanyRouter# ping 8.8.8.8
CompanyRouter# ping google.com
! Test connectivity to ISP gateway
CompanyRouter# ping 203.0.113.1
! Traceroute to external host
CompanyRouter# traceroute 8.8.8.8
! Test from inside network
CompanyRouter# ping 192.168.10.100 source GigabitEthernet0/0/1.10
Common Troubleshooting Scenarios
Problem: No Internet Access
! Verify WAN interface is up
CompanyRouter# show ip interface brief | include GigabitEthernet0/0/0
! Check default route
CompanyRouter# show ip route | include 0.0.0.0
! Verify NAT is working
CompanyRouter# show ip nat translations
CompanyRouter# show ip nat statistics
! Test connectivity to ISP gateway
CompanyRouter# ping 203.0.113.1
! Clear NAT translations (if stale)
CompanyRouter# clear ip nat translation *
Problem: DHCP Not Working
! Verify DHCP is enabled
CompanyRouter# show running-config | section dhcp
! Check DHCP bindings
CompanyRouter# show ip dhcp binding
! View DHCP conflicts
CompanyRouter# show ip dhcp conflict
! Debug DHCP
CompanyRouter# debug ip dhcp server events
CompanyRouter# debug ip dhcp server packet
! Stop debugging
CompanyRouter# undebug all
Problem: VLAN Communication Issues
! Verify VLAN interfaces are up
CompanyRouter# show ip interface brief | include GigabitEthernet0/0/1
! Check VLAN encapsulation
CompanyRouter# show interfaces GigabitEthernet0/0/1.10
! Verify routing between VLANs
CompanyRouter# show ip route connected
! Test inter-VLAN routing
CompanyRouter# ping 192.168.20.1 source 192.168.10.1
Problem: High CPU Usage
! Check CPU utilization
CompanyRouter# show processes cpu sorted
! View NAT translation count
CompanyRouter# show ip nat statistics
! Check for routing loops
CompanyRouter# show ip route
! Monitor interface bandwidth
CompanyRouter# show interfaces GigabitEthernet0/0/0 | include rate
Debug Commands (Use with Caution)
! Enable debugging for NAT
CompanyRouter# debug ip nat
CompanyRouter# debug ip nat detailed
! Enable debugging for DHCP
CompanyRouter# debug ip dhcp server events
! Enable debugging for ACLs
CompanyRouter# debug ip packet detail <acl-number>
! Disable all debugging
CompanyRouter# undebug all
CompanyRouter# no debug all
Monitor Real-Time Traffic
! Monitor NAT translations in real-time
CompanyRouter# show ip nat translations verbose
! Watch interface statistics
CompanyRouter# show interfaces GigabitEthernet0/0/0 | include packets
! View active connections
CompanyRouter# show tcp brief
! Check NAT pool utilization (if using NAT pool)
CompanyRouter# show ip nat statistics
Saving Configuration
Save Running Configuration
! Save configuration to NVRAM
CompanyRouter# write memory
or
CompanyRouter# copy running-config startup-config
! Backup configuration to TFTP server (optional)
CompanyRouter# copy running-config tftp:
Address or name of remote host []? 192.168.99.100
Destination filename [companyrouter-confg]? backup-config-2024-01-15
Verify Saved Configuration
! Compare running and startup configurations
CompanyRouter# show archive config differences startup-config running-config
! View startup configuration
CompanyRouter# show startup-config
Complete Configuration Template
Here's a complete configuration template combining all sections:
!
! Complete Cisco Router NAT Configuration for Metro Ethernet
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CompanyRouter
!
enable secret 5 $1$xyz$encrypted_password
!
username admin privilege 15 secret 5 $1$abc$encrypted_password
!
ip domain-name company.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.30.1 192.168.30.10
ip dhcp excluded-address 192.168.99.1 192.168.99.50
!
ip dhcp pool VLAN10_CORPORATE
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8 8.8.4.4
domain-name company.local
lease 7
!
ip dhcp pool VLAN20_VOICE
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8 8.8.4.4
option 150 ip 192.168.20.5
lease 7
!
ip dhcp pool VLAN30_GUEST
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8 8.8.4.4
lease 0 2
!
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
!
interface GigabitEthernet0/0/0
description WAN - Metro Ethernet Connection
ip address 203.0.113.2 255.255.255.252
ip nat outside
ip verify unicast source reachable-via rx
ip access-group BLOCK_PRIVATE_WAN in
no shutdown
!
interface GigabitEthernet0/0/1
description LAN - Trunk to Core Switch
no ip address
no shutdown
!
interface GigabitEthernet0/0/1.10
description VLAN 10 - Corporate Users
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.20
description VLAN 20 - Voice
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.30
description VLAN 30 - Guest Network
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip access-group GUEST_FILTER in
!
interface GigabitEthernet0/0/1.99
description VLAN 99 - Management
encapsulation dot1Q 99
ip address 192.168.99.1 255.255.255.0
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 203.0.113.1
!
access-list 1 remark Networks allowed for NAT
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
!
ip access-list extended BLOCK_PRIVATE_WAN
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
!
ip access-list extended GUEST_FILTER
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.99.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 any
!
ip tcp intercept mode watch
ip tcp intercept watch-timeout 30
!
logging buffered 16384 informational
logging console warnings
!
ntp server 216.239.35.0
ntp server 216.239.35.4
clock timezone EST -5
clock summer-time EDT recurring
!
banner motd ^
****************************************************
* UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
* All connections are monitored and recorded
* Disconnect IMMEDIATELY if you are not authorized
****************************************************
^
!
line console 0
password 7 encrypted_password
logging synchronous
login
exec-timeout 5 0
!
line vty 0 4
login local
transport input ssh
exec-timeout 10 0
!
end
Best Practices and Recommendations
Security Best Practices
- Change Default Passwords: Always use strong, unique passwords
- Disable Unused Services: Disable HTTP, SNMP, and other unused services
- Regular Updates: Keep IOS updated with latest security patches
- Implement ACLs: Use access control lists to restrict traffic
- Enable Logging: Monitor and log all significant events
- Use SSH Only: Disable Telnet, use SSH version 2
- Backup Configurations: Regular backups to secure location
- Guest Network Isolation: Always isolate guest networks from corporate
Performance Optimization
-
NAT Translation Timeout: Adjust if needed for specific applications
CompanyRouter(config)# ip nat translation timeout 300 CompanyRouter(config)# ip nat translation tcp-timeout 86400 CompanyRouter(config)# ip nat translation udp-timeout 300 -
QoS Configuration: Implement QoS for VoIP traffic
CompanyRouter(config)# access-list 100 permit udp any any range 16384 32767 CompanyRouter(config)# class-map match-any VOICE CompanyRouter(config-cmap)# match access-group 100 CompanyRouter(config-cmap)# exit CompanyRouter(config)# policy-map WAN-QOS CompanyRouter(config-pmap)# class VOICE CompanyRouter(config-pmap-c)# priority percent 30 CompanyRouter(config-pmap-c)# exit CompanyRouter(config-pmap)# exit CompanyRouter(config)# interface GigabitEthernet0/0/0 CompanyRouter(config-if)# service-policy output WAN-QOS -
Enable CEF: Cisco Express Forwarding for better performance
CompanyRouter(config)# ip cef
Maintenance Tasks
-
Weekly Tasks:
- Review logs for anomalies
- Check NAT translation table size
- Monitor interface errors
- Verify backup status
-
Monthly Tasks:
- Review and update ACLs
- Check for IOS updates
- Analyze bandwidth utilization
- Test disaster recovery procedures
-
Quarterly Tasks:
- Password rotation
- Security audit
- Configuration review
- Performance baseline updates
Additional Resources
Cisco Documentation
Important Notes
- Always test configurations in a lab environment first
- Document all changes in a change management system
- Keep emergency rollback configurations ready
- Coordinate with ISP for Metro Ethernet specific requirements
- Follow your organization's security policies
Support and Contact
For issues related to:
- ISP Connectivity: Contact your Metro Ethernet provider
- Hardware Issues: Contact Cisco TAC (Technical Assistance Center)
- Configuration Assistance: Consult with certified Cisco professionals
Document Version: 1.0
Last Updated: January 2025
Applicable IOS Versions: 15.0 and higher
Tested Platforms: ISR 1900, 2900, 3900, 4000 Series
Glossary
- NAT: Network Address Translation
- PAT: Port Address Translation (NAT Overload)
- VLAN: Virtual Local Area Network
- WAN: Wide Area Network
- LAN: Local Area Network
- ISP: Internet Service Provider
- ACL: Access Control List
- DHCP: Dynamic Host Configuration Protocol
- SSH: Secure Shell
- VTY: Virtual Terminal Lines
- CEF: Cisco Express Forwarding
- QoS: Quality of Service
- Metro Ethernet: Carrier-grade Ethernet service
Tags
#Cisco Router#NAT#Metro#VLAN Setup#CCNA Guide#Network Security#Enterprise Networking#Router Configuration#PAT Overload#Network Infrastructure
.jpg)