01-03-2012 01:42 PM - edited 03-07-2019 04:09 AM
Hello everyone,
I'm asking myself about an installation with a cisco router model 1801 (8 switchports integrated itself). I would like to create 2 vlan and connect them to outside via nat on a stick, but I'm not sure if that is the correct way... I don't want to enable inter-vlan so I think i have to create some access-list...
Configure WAN access
Router# configure terminal
Router(config)# interface fa1/0
Router(config-if)# ip address 80.70.64.35 255.255.255.252
Router(config-if)# no shutdown
Create 2 vlan:
Router(config)# vlan 30
Router(config-vlan)# end
Router(config)# vlan 50
Router(config-vlan)# end
Assign Ports Fastethernet 0/1 to 0/4 in VLAN 30
Router(config)# interface fastethernet0/1
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 30
Router(config-if)# end
Router(config)# interface fastethernet0/2
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 30
Router(config-if)# end
Router(config)# interface fastethernet0/3
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 30
Router(config-if)# end
Router(config)# interface fastethernet0/4
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 30
Router(config-if)# end
Assign Ports Fastethernet 0/5 to 0/8 in VLAN 50
Router(config)# interface fastethernet0/5
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 50
Router(config-if)# end
Router(config)# interface fastethernet0/6
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 50
Router(config-if)# end
Router(config)# interface fastethernet0/7
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 50
Router(config-if)# end
Router(config)# interface fastethernet0/8
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 50
Router(config-if)# end
Configure Switch Vlan Interfaces (SVI)
Router(config)# interface vlan30
Router(config-if)# ip address 192.168.1.254 255.255.255.0
Router(config-if)# no shut
Router(config)# interface vlan50
Router(config-if)# ip address 192.168.58.1 255.255.255.0
Router(config-if)# no shut
Configure nat
Router(config)access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)access-list 1 permit 192.168.58.0 0.0.0.255
Router(config)#Ip nat inside source list interface serial 0/0 overload
Router(config)#Interface vlan 30
Router(config-if)#Ip nat inside
Router(config)#Interface vlan 50
Router(config-if)#Ip nat inside
Router(config)#Interface fa 1/0
Router(config-if)Ip nat outside
Add default route
Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0
Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30
Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50
What do you think about my configuration? is it correct?
I need to restrict traffic between vlans, how do i have to configure the access-list? I tested it with several access-list but anyone didn't work for me...
About conectivity through wan interface (to outside world) It seems everything is working fine, but I'm not sure if I forget something important.
Thank you for your time and sorry for my english..
Solved! Go to Solution.
01-03-2012 02:11 PM
Hi,
Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0 You should point towards next-hop IP
Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30 Not needed
Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50 Not needed
I need to restrict traffic between vlans, how do i have to configure the access-list?
What do you want to do exactly ?
Regards.
Alain
01-03-2012 02:11 PM
Hi,
Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0 You should point towards next-hop IP
Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30 Not needed
Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50 Not needed
I need to restrict traffic between vlans, how do i have to configure the access-list?
What do you want to do exactly ?
Regards.
Alain
01-03-2012 02:25 PM
I want to restrict traffic between vlans. Both vlans should have outside access (inet) but they can't communicate between them.
thanks for your quick reply
01-03-2012 02:37 PM
Hi,
then you can do this:
access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 199 permit ip any any
int vlan 30
ip access-group 199 in
Regards.
Alain
01-03-2012 03:49 PM
Hi again,
I'm not sure about if it's in or out, because: that command is used to deny ip traffic from 192.168.1.0 network to 192.168.58.0 network:
access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255
In the command above, it denies traffic from vlan 30 to vlan 50, doesn't it?
So... if you are using ip access-group into vlan30 (192.168.1.0 network) would it not be out?
I'm having trouble understanding how to apply them to the interface...
01-04-2012 01:03 AM
Hi,
Just pretend you're the router and if traffic is entering int vlan 30 then it inbound traffic and if traffic is leaving int vlan 30 then it is outbound traffic.
When machines in vlan 30 want to communicate with vlan 50 then it will send traffic to its defauult gateway which is vlan 30 interface and so traffic is gonna enter this interface so it is inbound with a src ip in the vlan 30 subnet.
Regards.
Alain.
01-04-2012 01:59 PM
Thank you for your explanation, that is helpful for me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide