Today, I have learned a very valuable network engineering lesson: know the capabilities of your equipment!
In the spirit of the CCDA, I have spent nearly the entire day working on a new network design proposal for a multi-site company that I help to support. At the heart of the proposal was to replace their existing routers which have occasional reliability issues with a Catalyst 3550 Layer 3 switch. The idea was to connect their Internet (cable modem) directly to one of the switch ports and then perform the routing with the switch. Unfortunately….
This particular network has a need to keep certain segments isolated with VLANs, as well as having guest wireless access on its own VLAN. The company is on a tight budget, so I thought that using a Cat 3550 in this manner would be extremely cost-effective while improving the reliability. The existing wireless router would be repurposed as a simple guest wireless access point.
I spent most of the day writing a 3,000 word document describing the existing network conditions and the goals for the new network design. I created both logical and physical topology maps of both the old and new networks and went into detailed explanations of how everything will work.
The theory was sound.
However, when I went to configure the Cat 3550, I ran into a snag that took me five hours to figure out. Because I am dealing with private IP addresses with only a single public IP, the Cat 3550 is required to perform NAT. Going into the project, I knew NAT was going to be involved and that I would need to configure it on the 3550. In setting it up for personal testing and demonstration, I connected the 3550 to my Internet connection, and connected my laptop to the 3550 in a VLAN separate from the Internet-facing port.
From the switch, I could ping any IP address or domain name I wanted, and it worked beautifully. But, from the laptop, I could ping the VLAN gateway, and I could ping the Internet-connected interface’s IP, but nothing beyond that. I had a static route configured on the 3550 for the Internet-connected interface, but it made no difference.
After hours of searching various sites and being positive I had everything configured correctly, I came across the official documentation for the 3550 here and discovered that it doesn’t support NAT commands. Then I found this page that shows that NONE of the Catalyst switches within any reasonable price range for a small business support NAT.
What a disappointment! Luckily, only my wife knew about all the work I had put into the design document. It had not been mentioned or presented to anyone professionally yet, so I saved myself a lot of embarrassment and learned a very valuable lesson in the process.