cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3238
Views
0
Helpful
6
Replies

No inter-vlan on a layer 3 switch/router 1801

Hello everyone,

I'm asking myself about an installation with a cisco router model 1801 (8 switchports integrated itself). I would like to create 2 vlan and connect them to outside via nat on a stick, but I'm not sure if that is the correct way... I don't want to enable inter-vlan so I think i have to create some access-list...

Configure WAN access

Router# configure terminal

Router(config)# interface fa1/0

Router(config-if)# ip address 80.70.64.35 255.255.255.252

Router(config-if)# no shutdown

Create 2 vlan:

Router(config)# vlan 30
Router(config-vlan)# end

Router(config)# vlan 50
Router(config-vlan)# end

Assign Ports Fastethernet 0/1 to 0/4 in VLAN 30
Router(config)# interface fastethernet0/1
Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 30
Router(config-if)# end

Router(config)# interface fastethernet0/2

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 30
Router(config-if)# end

Router(config)# interface fastethernet0/3

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 30
Router(config-if)# end

Router(config)# interface fastethernet0/4

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 30
Router(config-if)# end

Assign Ports Fastethernet 0/5 to 0/8 in VLAN 50
Router(config)# interface fastethernet0/5
Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 50
Router(config-if)# end

Router(config)# interface fastethernet0/6

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 50
Router(config-if)# end

Router(config)# interface fastethernet0/7

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 50
Router(config-if)# end

Router(config)# interface fastethernet0/8

Router(config-if)# switchport mode access

Router(config-if)# switchport access vlan 50
Router(config-if)# end

Configure Switch Vlan Interfaces (SVI)
Router(config)# interface vlan30
Router(config-if)# ip address 192.168.1.254 255.255.255.0
Router(config-if)# no shut

Router(config)# interface vlan50
Router(config-if)# ip address 192.168.58.1 255.255.255.0
Router(config-if)# no shut

Configure nat

Router(config)access-list 1 permit 192.168.1.0 0.0.0.255

Router(config)access-list 1 permit 192.168.58.0 0.0.0.255

Router(config)#Ip nat inside source list interface serial 0/0 overload

Router(config)#Interface vlan 30

Router(config-if)#Ip nat inside

Router(config)#Interface vlan 50

Router(config-if)#Ip nat inside

Router(config)#Interface fa 1/0

Router(config-if)Ip nat outside

Add default route
Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0

Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30

Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50

What do you think about my configuration? is it correct?

I need to restrict traffic between vlans, how do i have to configure the access-list? I tested it with several access-list but anyone didn't work for me...

About conectivity through wan interface (to outside world) It seems everything is working fine, but I'm not sure if I forget something important.

Thank you for your time and sorry for my english..

1 Accepted Solution

Accepted Solutions

cadet alain
VIP Alumni
VIP Alumni

Hi,

Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0     You should point towards next-hop IP

Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30   Not needed

Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50  Not needed

I need to restrict traffic between vlans, how do i have to configure the access-list?

What do you want to do exactly ?

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

Hi,

Router(config)# ip route 0.0.0.0 0.0.0.0 fa1/0     You should point towards next-hop IP

Router(config)# ip route 192.168.1.0 0.0.0.255 vlan30   Not needed

Router(config)# ip route 192.168.58.0 0.0.0.255 vlan50  Not needed

I need to restrict traffic between vlans, how do i have to configure the access-list?

What do you want to do exactly ?

Regards.

Alain

Don't forget to rate helpful posts.

I want to restrict traffic between vlans. Both vlans should have outside access (inet) but they can't communicate between them.

thanks for your quick reply

Hi,

then you can do this:

access-list 199 deny  ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255

access-list 199 permit ip any any

int vlan 30

ip access-group 199 in

Regards.

Alain

Don't forget to rate helpful posts.

Hi again,

I'm not sure about if it's in or out, because: that command is used to deny ip traffic from 192.168.1.0 network to 192.168.58.0 network:

access-list 199 deny  ip 192.168.1.0 0.0.0.255 192.168.58.0 0.0.0.255

In the command above, it denies traffic from vlan 30 to vlan 50, doesn't it?

So... if you are using ip access-group into vlan30 (192.168.1.0 network) would it not be out?

I'm having trouble understanding how to apply them to the interface...

Hi,

Just pretend you're the router and if traffic is entering int vlan 30 then it inbound traffic and if traffic is leaving int vlan 30 then it is outbound traffic.

When machines in vlan 30 want to communicate with vlan 50 then it will send traffic to its defauult gateway which is vlan 30 interface and so traffic is gonna enter this interface so it is inbound with a src ip in the vlan 30 subnet.

Regards.

Alain.

Don't forget to rate helpful posts.

Thank you for your explanation, that is helpful for me

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco