No inter-vlan on a layer 3 switch/router 1801

Answered Question
Jan 3rd, 2012
User Badges:

Hello everyone,

I'm asking myself about an installation with a cisco router model 1801 (8 switchports integrated itself). I would like to create 2 vlan and connect them to outside via nat on a stick, but I'm not sure if that is the correct way... I don't want to enable inter-vlan so I think i have to create some access-list...


Configure WAN access

Router# configure terminal

Router(config)# interface fa1/0

Router(config-if)# ip address 80.70.64.35 255.255.255.252

Router(config-if)# no shutdown


Create 2 vlan:

Router(config)# vlan 30
Router(config-vlan)# end


Router(config)# vlan 50
Router(config-vlan)# end


Assign Ports Fastethernet 0/1 to 0/4 in VLAN 30
Router(config)# interface fastethernet0/1
Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 30
Router(config-if)# end


Router(config)# interface fastethernet0/2

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 30
Router(config-if)# end


Router(config)# interface fastethernet0/3

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 30
Router(config-if)# end


Router(config)# interface fastethernet0/4

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 30
Router(config-if)# end



Assign Ports Fastethernet 0/5 to 0/8 in VLAN 50
Router(config)# interface fastethernet0/5
Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 50
Router(config-if)# end


Router(config)# interface fastethernet0/6

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 50
Router(config-if)# end


Router(config)# interface fastethernet0/7

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 50
Router(config-if)# end


Router(config)# interface fastethernet0/8

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 50
Router(config-if)# end



Configure Switch Vlan Interfaces (SVI)
Router(config)# interface vlan30
Router(config-if)# ip address 192.168.1.254 255.255.255.0
Router(config-if)# no shut


Router(config)# interface vlan50
Router(config-if)# ip address 192.168.58.1 255.255.255.0
Router(config-if)# no shut


Configure nat

Router(config)access-list 1 permit 192.168.1.0 0.0.0.255

Router(config)access-list 1 permit 192.168.58.0 0.0.0.255

Router(config)#Ip nat inside source list interface serial 0/0 overload

Router(config)#Interface vlan 30

Router(config-if)#Ip nat inside

Router(config)#Interface vlan 50

Router(config-if)#Ip nat inside

Router(config)#Interface fa 1/0

Router(config-if)Ip nat outside


Add default route
Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0

Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30

Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50


What do you think about my configuration? is it correct?

I need to restrict traffic between vlans, how do i have to configure the access-list? I tested it with several access-list but anyone didn't work for me...

About conectivity through wan interface (to outside world) It seems everything is working fine, but I'm not sure if I forget something important.


Thank you for your time and sorry for my english..

Correct Answer by cadet alain about 5 years 7 months ago

Hi,


Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0     You should point towards next-hop IP

Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30   Not needed

Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50  Not needed



I need to restrict traffic between vlans, how do i have to configure the access-list?


What do you want to do exactly ?


Regards.


Alain

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cadet alain Tue, 01/03/2012 - 14:11
User Badges:
  • Purple, 4500 points or more

Hi,


Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0     You should point towards next-hop IP

Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30   Not needed

Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50  Not needed



I need to restrict traffic between vlans, how do i have to configure the access-list?


What do you want to do exactly ?


Regards.


Alain

jesusescuderolopez Tue, 01/03/2012 - 14:25
User Badges:

I want to restrict traffic between vlans. Both vlans should have outside access (inet) but they can't communicate between them.


thanks for your quick reply

cadet alain Tue, 01/03/2012 - 14:37
User Badges:
  • Purple, 4500 points or more

Hi,


then you can do this:


access-list 199 deny  ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255

access-list 199 permit ip any any


int vlan 30

ip access-group 199 in


Regards.


Alain

jesusescuderolopez Tue, 01/03/2012 - 15:49
User Badges:

Hi again,

I'm not sure about if it's in or out, because: that command is used to deny ip traffic from 192.168.1.0 network to 192.168.58.0 network:

access-list 199 deny  ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255

In the command above, it denies traffic from vlan 30 to vlan 50, doesn't it?


So... if you are using ip access-group into vlan30 (192.168.1.0 network) would it not be out?


I'm having trouble understanding how to apply them to the interface...

cadet alain Wed, 01/04/2012 - 01:03
User Badges:
  • Purple, 4500 points or more

Hi,


Just pretend you're the router and if traffic is entering int vlan 30 then it inbound traffic and if traffic is leaving int vlan 30 then it is outbound traffic.

When machines in vlan 30 want to communicate with vlan 50 then it will send traffic to its defauult gateway which is vlan 30 interface and so traffic is gonna enter this interface so it is inbound with a src ip in the vlan 30 subnet.


Regards.


Alain.

Actions

This Discussion

Related Content