cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
0
Helpful
14
Replies

vlans communicating on 1721

ryancolson
Level 1
Level 1

TO preface I am still somewhat new to cisco equip and advanced networking. The reason I set the following up is partially to study for my ccna. Anyway here goes.

Business Cable connection coming in to a 1721 running IP plus 12.2. a 2924 xl running ios 12 and two Vlans - one for my server one for my home network. I have both vlans coming from the switch to the router(802.1q), and Nating based on subnet to an external IP. The problem is that A server on Vlan 3(172.16.0.0/24) can ping the fa0(vlan1) ip of 192.168.1.1. It can also ping anoter Vlan ip sub interface 192.168.2.1(fa0.2). When i do a tracert from the server(172.16.0.1) to 192.168.1.1, it shows up as one entry, not even going thru one hop of the gatewate for that VLAN subinterface. fa0/3 on the switch is for vlan 3 and fa0/9 is my trunk port. Here is the config of the switch and the router

switch:

interface FastEthernet0/3

switchport access vlan 3

!

interface FastEthernet0/9

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-665,667-1005

switchport mode trunk

and my router:

interface FastEthe

ip address 192.16

ip access-group 1

no ip proxy-arp

speed auto

!

interface FastEthe

encapsulation dot

ip address 192.16

no ip proxy-arp

ip nat inside

!

interface FastEthe

encapsulation dot

ip address 172.16

ip access-group 5

ip access-group 1

no ip proxy-arp

ip nat inside

1 Accepted Solution

Accepted Solutions

Hi,

The following configuration would do it, as the NAT order of operation states that the input access-list is processed first, and further both interfaces are inside:

interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip access-group 114 in

ip access-group 113 out

ip nat inside

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 172.16.0.1 255.255.255.0

ip access-group 113 in

ip access-group 114 out

no ip proxy-arp

ip nat inside

access-list 113 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 113 permit ip any any

access-list 114 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 114 permit ip any any

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

View solution in original post

14 Replies 14

mohammedmahmoud
Level 11
Level 11

hi,

Your output is incomplete, please paste it correctly, but i will take one wild guess, the main FastEthernet Interface in the router must have "no ip address".

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

w/o an ip address on fa0 doesnt that mean that vlan 1 will not be able to communicate thru it?

Hi,

No when configuring trunking between a switch and a router, the main interface must have "no ip address", and for VLAN 1 there must be a subinterface like any other VLAN.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

I actually wasnt able to communicate from a pc on one vlan to a pc on another vlan w/o opening it up in an access list. So it seems to be mostly working. I just dont understand why a pc on one vlan can hit all the sub interfaces on the router

here is the complete swtich config

!

! Last configuration change at 18:26:10 EST Wed May 2 2007

! NVRAM config last updated at 18:26:11 EST Wed May 2 2007

!

version 12.0

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Switch2900XL

!

enable secret xxx

!

!

!

!

!

clock timezone EST -5

clock summer-time EST recurring 2 Sun Mar 2:00 2 Sun Nov 2:00

!

spanning-tree portfast bpduguard

ip subnet-zero

no ip domain-lookup

ip domain-name anarchyunlimited.net

!

!

!

interface FastEthernet0/1

switchport access vlan 100

!

interface FastEthernet0/2

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/3

switchport access vlan 100

!

interface FastEthernet0/4

switchport access vlan 100

!

interface FastEthernet0/5

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/6

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/7

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/8

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/9

switchport access vlan 100

!

interface FastEthernet0/10

switchport access vlan 100

!

interface FastEthernet0/11

switchport access vlan 100

!

interface FastEthernet0/12

switchport access vlan 100

!

interface FastEthernet0/13

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/14

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/15

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/16

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/17

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/18

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/19

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/20

description ***Faulty***

switchport access vlan 666

!

interface FastEthernet0/21

switchport access vlan 100

!

interface FastEthernet0/22

switchport access vlan 100

!

interface FastEthernet0/23

switchport access vlan 100

!

interface FastEthernet0/24

switchport access vlan 100

!

interface VLAN1

no ip address

no ip directed-broadcast

no ip route-cache

shutdown

!

interface VLAN100

ip address 100.x.x.67 255.255.255.192

no ip directed-broadcast

no ip route-cache

!

and the router

!

version 12.2

service timestamps debug datetime

service timestamps log datetime

no service password-encryption

!

hostname homeFirewall

!

enable password password

!

username user password 0 cisco

ip subnet-zero

!

!

ip name-server 192.168.1.10

!

!

!

trunk group 1

!

!

trunk group yeah

!

!

!

!

!

interface FastEthernet0

ip address 192.168.1.2 255.255.255.0

ip access-group 103 in

ip access-group 103 out

no ip proxy-arp

ip nat inside

speed auto

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 192.168.2.1 255.255.255.0

no ip proxy-arp

ip nat inside

!

interface FastEthernet0.3

encapsulation dot1Q 3

ip address 172.16.0.1 255.255.255.0

ip access-group 5 in

ip access-group 104 out

no ip proxy-arp

ip nat inside

!

!

!

end

is it normal for a pc on one vlan to be able to hit all 3 sub interfaces?

I took out some of the config to save space just natting and login info

Hi,

Please do check this document:

http://www.cisco.com/en/US/tech/tk389/tk390/technologies_configuration_example09186a00800949fd.shtml

you must have a separate subinterface for VLAN 1, please follow this document and get back to us if you face any problems.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Ok. The only reason I thought the other way is because in one of my CCNA study guides(CCNA ICND by Wendel Odem) it states that with dot1q and vlan1 being native you dont set up encapsulation on that vlan.

Hi,

You are right, thats why we use the "native" keyword with the VLAN1 subinterface encapsulation command as described in the document above but you still need to define dot1q encapsulation on all subinterfaces for all VLANs, please do review the document and come back if you have further questions.

c2600(config-subif)#encapsulation dot1Q 1 native

!-- On the switch, if you have a native VLAN other than VLAN1,

!-- on the router, configure the same VLAN to be the native VLAN,

!-- by using the above command.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Encap is defined on all sub interfaces. Is it normal to be able to ping the IP on other sub interfaces as thats the main concern I have

Hi,

Yes currently all the subinterfaces are directly connected interfaces on the same router, and thus packets are automatically routed between them, and thus a host belonging to a VLAN of one subinterface will be able to ping an IP belonging to another subinterface (Inter-VLAN routing - router-on-a-stick).

I hope that i've been informative.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

I applied an access list but the pings from the 172 still hit the 192 sub interface. I applied an access list to the 192 sub interface blocking all traffic from the 172 subnet however the pinjgs still come thru. Is this normal?

here is my access-list set up. I have it fully set up now but the access list to block routing from one Vlan to another isnt kicking in. What do I need to change to be able to control/block intervlan routing

vlan sub configs:

interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip access-group 106 in

ip access-group 103 out

ip nat inside

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 172.16.0.1 255.255.255.0

ip access-group 103 in

ip access-group 103 out

no ip proxy-arp

ip nat inside

access-lists:

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 permit 74.93.243.192 0.0.0.7

access-list 3 permit 172.16.0.0 0.0.0.255

access-list 4 deny 172.16.0.0 0.0.0.255

access-list 5 permit 172.16.0.10

access-list 101 permit tcp any any established

access-list 102 deny ip any 192.168.1.0 0.0.0.255

access-list 103 permit ip any any

access-list 103 permit icmp any any

access-list 104 deny ip any 192.168.1.0 0.0.0.255

access-list 104 permit ip any any

access-list 105 deny ip any 192.168.1.0 0.0.0.255 log

access-list 105 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255 log

access-list 106 deny ip 172.16.0.0 0.0.0.255 any

access-list 106 permit ip any any

I want to block traffic from Vlan2(172.16.0.0/24) to vlan1(192.168.1.0/24)

Hi,

The following configuration would do it, as the NAT order of operation states that the input access-list is processed first, and further both interfaces are inside:

interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip access-group 114 in

ip access-group 113 out

ip nat inside

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 172.16.0.1 255.255.255.0

ip access-group 113 in

ip access-group 114 out

no ip proxy-arp

ip nat inside

access-list 113 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 113 permit ip any any

access-list 114 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 114 permit ip any any

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

THANK YOU!!!!. This fixed it. Only thing I am a little confused on is that i had an accesslist on 0.1 blocking traffic. Does the block have to be on both interfaces to work right? Thanks again for your time on this and it works like it should now =)

Hi,

I am glade that it worked out :)

The reason it didn't work before is that your ACL was configured wrong:

access-list 106 deny ip 172.16.0.0 0.0.0.255 any

This shall deny any packet with source "172.16.0.x" incoming to the interface, which will never be the case, as all packets coming inbound to this interface will have source 192.168.1.x, and destination as "172.16.0.x", always take care what is the source and what is the destination when you are configuring an ACL.

I hope that i've been informative.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco