These days it happened that I quickly needed a device that supplied full featured internet service to a temporary installation. The COC (carrier of choice) provided an Ethernet cable with a public IP connect and some Ethernet like uplink bandwidth. Wirespeed Ethernet routing eliminated the cheap boxes and so the ProCurve Secure Router family,since it was in stock anyway,with the wirespeed 100 Mbit Routing capability and the two Ethernet ports on board was the unit of choice. On top the device is capable to provide all locally needed services like sophisticated DHCP,DNS and time service,so that no further infrastructure components needed to be placed in this temporary setup,besides switches and WLAN components,of course. A logical choice.
Given that there are some obvious configuration steps.
First configure and activate the local Ethernet interfaces.
First the internal one:
interface eth 0/1
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
Then the external one:
interface eth 0/2
ip address 123.456.789.2 255.255.255.248
no shutdown
exit
After configuring the IP interfaces you may add a default route. Since a routing device always refers to its routing tables,the concept of a dedicated default gateway is somehow miss leading. So simply add the global default route with the global network address and mask 0.0.0.0 and 0.0.0.0. This route should point to your gateway which you may consider to be default.
ip route 0.0.0.0 0.0.0.0 123.456.789.1
Test ping to the other side of your uplink and likely you will have a connection. Try to ping from the router to anywhere in the world and as well it likely will work. Execute the same test from an internal LAN connected device and you will fail. The wide world does not know about your local LAN adresses and since they are private likely never will. So you have to translate the local network addresses to the globaly known one,a method widely known as NAT which configures as follows:
Define an extended access list that refers to your internal communication. This could be considered to be a symbolic reference naming the LAN for the later definition of the access policy.
ip access-list extended INTERNAL
permit ip 192.168.1.0 0.255.255.255 192.168.1.0 0.255.255.255
Now define the extended access list,that allows your LAN to access the Internet with the any reference.
ip access-list extended INTERNET
permit ip 192.168.1.0 0.255.255.255 any
As well define a policy class that allows the LAN reference to overload the Internet connection by using a dynamic NAT.
ip policy-class INTERNALwNAT
allow list INTERNAL
nat source list INTERNET interface eth 0/2 overload
Finally add the access policies to the applicable interfaces. This could be even a layer two interface like PPP,but in this case its the layer one/two combination of the physical Ethernet context.
interface eth 0/1
access-policy INTERNALwNAT
and
interface eth 0/2
access-policy INTERNALwNAT
Your Internet access should work by now. For convenience in the LAN distribute your setup by subsequent configuration of the local DHCP service. In this case we preserve a couple of addresses in the lower and the upper range of the network segment for static use,such as for switches and printers. The configuration context is globally for the IP DHCP- service and not within the scope of the given DHCP- pool.
ip dhcp-server excluded-address 192.168.1.1 192.168.1.10
ip dhcp-server excluded-address 192.168.1.240 192.168.1.254
Then the DHCP pool is defined for the connected network 192.168.1.0 /24 with the speaking name of localNet. The given DNS server is a hypothetical public one. The addresses are chosen from the entire subnet,if not a exclusion was defined before.
ip dhcp-server pool localNet
network 192.168.1.0 255.255.255.0
domain-name localnet.de
dns-server 123.456.789.111
default-router 192.168.1.1
Now you should be done and your local clients should surf happy.
k.y.p. frank