vlans communicating on 1721

Answered Question
Jun 9th, 2007
User Badges:

TO preface I am still somewhat new to cisco equip and advanced networking. The reason I set the following up is partially to study for my ccna. Anyway here goes.

Business Cable connection coming in to a 1721 running IP plus 12.2. a 2924 xl running ios 12 and two Vlans - one for my server one for my home network. I have both vlans coming from the switch to the router(802.1q), and Nating based on subnet to an external IP. The problem is that A server on Vlan 3(172.16.0.0/24) can ping the fa0(vlan1) ip of 192.168.1.1. It can also ping anoter Vlan ip sub interface 192.168.2.1(fa0.2). When i do a tracert from the server(172.16.0.1) to 192.168.1.1, it shows up as one entry, not even going thru one hop of the gatewate for that VLAN subinterface. fa0/3 on the switch is for vlan 3 and fa0/9 is my trunk port. Here is the config of the switch and the router

switch:

interface FastEthernet0/3

switchport access vlan 3

!

interface FastEthernet0/9

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-665,667-1005

switchport mode trunk


and my router:

interface FastEthe

ip address 192.16

ip access-group 1

no ip proxy-arp

speed auto

!

interface FastEthe

encapsulation dot

ip address 192.16

no ip proxy-arp

ip nat inside

!

interface FastEthe

encapsulation dot

ip address 172.16

ip access-group 5

ip access-group 1

no ip proxy-arp

ip nat inside

Correct Answer by mohammedmahmoud about 10 years 1 month ago

Hi,


The following configuration would do it, as the NAT order of operation states that the input access-list is processed first, and further both interfaces are inside:


interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip access-group 114 in

ip access-group 113 out

ip nat inside

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 172.16.0.1 255.255.255.0

ip access-group 113 in

ip access-group 114 out

no ip proxy-arp

ip nat inside



access-list 113 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 113 permit ip any any


access-list 114 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 114 permit ip any any




HTH, please do rate all helpful replies,

Mohammed Mahmoud.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mohammedmahmoud Sat, 06/09/2007 - 23:38
User Badges:
  • Green, 3000 points or more

hi,


Your output is incomplete, please paste it correctly, but i will take one wild guess, the main FastEthernet Interface in the router must have "no ip address".



HTH, please do rate all helpful replies,

Mohammed Mahmoud.

ryancolson Sun, 06/10/2007 - 06:03
User Badges:

w/o an ip address on fa0 doesnt that mean that vlan 1 will not be able to communicate thru it?

mohammedmahmoud Sun, 06/10/2007 - 06:19
User Badges:
  • Green, 3000 points or more

Hi,


No when configuring trunking between a switch and a router, the main interface must have "no ip address", and for VLAN 1 there must be a subinterface like any other VLAN.



HTH, please do rate all helpful replies,

Mohammed Mahmoud.


ryancolson Sun, 06/10/2007 - 06:29
User Badges:

I actually wasnt able to communicate from a pc on one vlan to a pc on another vlan w/o opening it up in an access list. So it seems to be mostly working. I just dont understand why a pc on one vlan can hit all the sub interfaces on the router


here is the complete swtich config


!

! Last configuration change at 18:26:10 EST Wed May 2 2007

! NVRAM config last updated at 18:26:11 EST Wed May 2 2007

!

version 12.0

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Switch2900XL

!

enable secret xxx

!

!

!

!

!

clock timezone EST -5

clock summer-time EST recurring 2 Sun Mar 2:00 2 Sun Nov 2:00

!

spanning-tree portfast bpduguard

ip subnet-zero

no ip domain-lookup

ip domain-name anarchyunlimited.net

!

!

!

interface FastEthernet0/1

switchport access vlan 100

!

interface FastEthernet0/2

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/3

switchport access vlan 100

!

interface FastEthernet0/4

switchport access vlan 100

!

interface FastEthernet0/5

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/6

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/7

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/8

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/9

switchport access vlan 100

!

interface FastEthernet0/10

switchport access vlan 100

!

interface FastEthernet0/11

switchport access vlan 100

!

interface FastEthernet0/12

switchport access vlan 100

!

interface FastEthernet0/13

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/14

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/15

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/16

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/17

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/18

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/19

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/20

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/21

switchport access vlan 100

!

interface FastEthernet0/22

switchport access vlan 100

!

interface FastEthernet0/23

switchport access vlan 100

!

interface FastEthernet0/24

switchport access vlan 100

!

interface VLAN1

no ip address

no ip directed-broadcast

no ip route-cache

shutdown

!

interface VLAN100

ip address 100.x.x.67 255.255.255.192

no ip directed-broadcast

no ip route-cache

!



and the router


!

version 12.2

service timestamps debug datetime

service timestamps log datetime

no service password-encryption

!

hostname homeFirewall

!

enable password password

!

username user password 0 cisco

ip subnet-zero

!

!

ip name-server 192.168.1.10

!

!

!

trunk group 1

!

!

trunk group yeah

!

!

!

!


!

interface FastEthernet0

ip address 192.168.1.2 255.255.255.0

ip access-group 103 in

ip access-group 103 out

no ip proxy-arp

ip nat inside

speed auto

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 192.168.2.1 255.255.255.0

no ip proxy-arp

ip nat inside

!

interface FastEthernet0.3

encapsulation dot1Q 3

ip address 172.16.0.1 255.255.255.0

ip access-group 5 in

ip access-group 104 out

no ip proxy-arp

ip nat inside

!

!

!

end


is it normal for a pc on one vlan to be able to hit all 3 sub interfaces?

I took out some of the config to save space just natting and login info

ryancolson Sun, 06/10/2007 - 07:12
User Badges:

Ok. The only reason I thought the other way is because in one of my CCNA study guides(CCNA ICND by Wendel Odem) it states that with dot1q and vlan1 being native you dont set up encapsulation on that vlan.

mohammedmahmoud Sun, 06/10/2007 - 12:46
User Badges:
  • Green, 3000 points or more

Hi,


You are right, thats why we use the "native" keyword with the VLAN1 subinterface encapsulation command as described in the document above but you still need to define dot1q encapsulation on all subinterfaces for all VLANs, please do review the document and come back if you have further questions.


c2600(config-subif)#encapsulation dot1Q 1 native


!-- On the switch, if you have a native VLAN other than VLAN1,

!-- on the router, configure the same VLAN to be the native VLAN,

!-- by using the above command.



HTH, please do rate all helpful replies,

Mohammed Mahmoud.

ryancolson Sun, 06/10/2007 - 13:11
User Badges:

Encap is defined on all sub interfaces. Is it normal to be able to ping the IP on other sub interfaces as thats the main concern I have

mohammedmahmoud Sun, 06/10/2007 - 13:33
User Badges:
  • Green, 3000 points or more

Hi,


Yes currently all the subinterfaces are directly connected interfaces on the same router, and thus packets are automatically routed between them, and thus a host belonging to a VLAN of one subinterface will be able to ping an IP belonging to another subinterface (Inter-VLAN routing - router-on-a-stick).


I hope that i've been informative.


HTH, please do rate all helpful replies,

Mohammed Mahmoud.

ryancolson Sun, 06/10/2007 - 13:52
User Badges:

I applied an access list but the pings from the 172 still hit the 192 sub interface. I applied an access list to the 192 sub interface blocking all traffic from the 172 subnet however the pinjgs still come thru. Is this normal?

ryancolson Sun, 06/10/2007 - 18:14
User Badges:

here is my access-list set up. I have it fully set up now but the access list to block routing from one Vlan to another isnt kicking in. What do I need to change to be able to control/block intervlan routing

vlan sub configs:

interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip access-group 106 in

ip access-group 103 out

ip nat inside

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 172.16.0.1 255.255.255.0

ip access-group 103 in

ip access-group 103 out

no ip proxy-arp

ip nat inside


access-lists:

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 permit 74.93.243.192 0.0.0.7

access-list 3 permit 172.16.0.0 0.0.0.255

access-list 4 deny 172.16.0.0 0.0.0.255

access-list 5 permit 172.16.0.10

access-list 101 permit tcp any any established

access-list 102 deny ip any 192.168.1.0 0.0.0.255

access-list 103 permit ip any any

access-list 103 permit icmp any any

access-list 104 deny ip any 192.168.1.0 0.0.0.255

access-list 104 permit ip any any

access-list 105 deny ip any 192.168.1.0 0.0.0.255 log

access-list 105 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255 log

access-list 106 deny ip 172.16.0.0 0.0.0.255 any

access-list 106 permit ip any any


I want to block traffic from Vlan2(172.16.0.0/24) to vlan1(192.168.1.0/24)



Correct Answer
mohammedmahmoud Sun, 06/10/2007 - 23:01
User Badges:
  • Green, 3000 points or more

Hi,


The following configuration would do it, as the NAT order of operation states that the input access-list is processed first, and further both interfaces are inside:


interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip access-group 114 in

ip access-group 113 out

ip nat inside

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 172.16.0.1 255.255.255.0

ip access-group 113 in

ip access-group 114 out

no ip proxy-arp

ip nat inside



access-list 113 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 113 permit ip any any


access-list 114 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 114 permit ip any any




HTH, please do rate all helpful replies,

Mohammed Mahmoud.

ryancolson Mon, 06/11/2007 - 08:47
User Badges:

THANK YOU!!!!. This fixed it. Only thing I am a little confused on is that i had an accesslist on 0.1 blocking traffic. Does the block have to be on both interfaces to work right? Thanks again for your time on this and it works like it should now =)

mohammedmahmoud Mon, 06/11/2007 - 09:02
User Badges:
  • Green, 3000 points or more

Hi,


I am glade that it worked out :)


The reason it didn't work before is that your ACL was configured wrong:


access-list 106 deny ip 172.16.0.0 0.0.0.255 any


This shall deny any packet with source "172.16.0.x" incoming to the interface, which will never be the case, as all packets coming inbound to this interface will have source 192.168.1.x, and destination as "172.16.0.x", always take care what is the source and what is the destination when you are configuring an ACL.



I hope that i've been informative.



HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Actions

This Discussion