×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to configure a cisco 2940 switch to work with cisco 1841 router?

Unanswered Question
Mar 6th, 2012
User Badges:

Hello everybody. I am new on this forum, i browsed theese pages for a couple of days but i cannot find a solution to my problem.

I'm a beginner in this domain and i will try to explain what i want to do as clearly as possible:


I have a Cisco 2940 switch and a Cisco 1841 router. I want to build two different VLAN networks on the switch, which do not have to communicate one with each other, but those VLANS should communicate with the router.


I read a lot of articles, i tried to configure properly the switch and the router but i still don't get them work.


I set on the switch, the GigabitEthernet 0/1 port to Trunk port and i had to set it a native VLAN. The problem is that only from that native VLAN, i can ping the router.


I'm not sure i understood how theese devices work... Please help.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mukti chandwani Tue, 03/06/2012 - 06:00
User Badges:

Hello,


I am not clear  when you say I am only able to ping router from native vlan.Do you mean you can ping router interface from users in native vlan and other vlan is not communicating to router?


Could you please paste config for both switch and router mentioing connected ports

danielnitoi Tue, 03/06/2012 - 06:39
User Badges:

Yes. I can ping router interface from users in native vlan but can't ping from any other vlan.



This is the configuration of the cisco switch:


Using 3703 out of 32768 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname exit

!


!

errdisable recovery cause link-flap

errdisable recovery interval 60

ip subnet-zero

ip dhcp database 1

!

udld aggressive


!

!

spanning-tree mode rapid-pvst


spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

macro global description cisco-global

!

!

interface FastEthernet0/1

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/2

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/3

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/4

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/5

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/6


switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/7

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/8

switchport access vlan 2

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping trust

!

interface GigabitEthernet0/1

switchport mode trunk

switchport nonegotiate

flowcontrol receive desired

mls qos trust cos

macro description cisco-wireless

spanning-tree portfast trunk

spanning-tree bpduguard enable

!

interface Vlan1


ip address 192.168.10.3 255.255.255.0

no ip route-cache

shutdown

!

interface Vlan2

ip address 192.168.10.3 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.10.1

ip http server

danielnitoi Tue, 03/06/2012 - 06:43
User Badges:

And this is the router configuration:


Using 1511 out of 196600 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!


no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.1

!

ip dhcp pool sdm-pool1


   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.1

!

!

ip name-server 193.231.100.130

ip name-server 193.231.100.134

vlan ifdescr detail

multilink bundle-name authenticated

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0/1

description $ES_LAN$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

vlan-range dot1q 1 2 native

  exit-vlan-config

!

no cdp enable

!

!

!

!

access-list 1 remark SDM_ACL Category=18

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 101 permit tcp any any

dialer-list 1 protocol ip permit

danielnitoi Tue, 03/06/2012 - 06:45
User Badges:

The main idea is simple. I want to create two VLAN networks, one of them is for a web server and the other one is for workstations. Both should be able to get outside (on the internet) but they cannot communicate one with each other.

Mandlenkosi Nkiwane Tue, 03/06/2012 - 08:07
User Badges:
  • Bronze, 100 points or more

First thing I see is that you have both Vlans on the same subnet. It would be much better if you could segment your Vlans like below:


interface Vlan1

ip address 192.168.10.3 255.255.255.0

no ip route-cache

no shut

!

interface Vlan2

ip address 192.168.11.3 255.255.255.0

no ip route-cache



Secondly you will need to have a DHCP pool for each of the subnets on the router. It would be advisable also to do sub-interfaces on the interface that connects to the switch.





interface FastEthernet0/1

description $ES_LAN$

no ip address


interface FastEthernet0/1.1

encapsulation dot1Q 1

ip address 192.168.10.1 255.255.255.0



interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 192.168.11.1 255.255.255.0



Hope this helps.

Mukti chandwani Tue, 03/06/2012 - 08:48
User Badges:

Are you saying you are using same subnet on 2 interfaces of the same switch.?We cannot have same subnet on 2 interfaces .



Please use following configuration on switch and router





vlan 10- 192.168.10.x--webervers

vlan 20- 192.168.20.x---work stations







On switch:

=============



switch(Config)#vlan 10

switch(Config)#vlan 20



switch(Config)#int gig0/1

switch(Config-if)#switchport trunk encapsulation dot1q

switch(Config-if)#switchport mode trunk



switch(Config)#int vlan 10

switch(Config-if)#ip address 192.168.10.2 255.255.255.0

switch(Config-if)#no shut





switch(Config)#int vlan 20

switch(Config-if)#ip address 192.168.20.2 255.255.255.0

switch(Config-if)#no shut




switch(Config-if)#exit

switch(Config)#ip default-gateway 192.168.10.1



On router

================



Router(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.2

Router(config)#ip dhcp excluded-address 192.168.20.1 192.168.20.2



R1(config)#ip dhcp pool servers

R1(dhcp-config)#network 192.168.10.0 255.255.255.0

R1(dhcp-config)#default-router 192.168.10.1





R1(config)#ip dhcp pool work-stations

R1(dhcp-config)#network 192.168.20.0 255.255.255.0

R1(dhcp-config)#default-router 192.168.20.1





Router(config)#ip access-list extended 110

Router(config-nacl)#deny ip any 192.168.20.0 0.0.0.255

Router(config-nacl)#permit ip any any



Router(config)#ip access-list extended 111

Router(config-nacl)#deny ip any 192.168.10.0 0.0.0.255

Router(config-nacl)#permit ip any any



Router(config)#int Fa0/0

Router(config-if)#no ip address

Router(config-if)#int Fa0/0.10

Router(config-if)#encapsulation dot1q 10

Router(config-if)#ip address 192.168.10.1 255.255.255.0

Router(config-if)#ip access-group 110 in



Router(config-if)#int Fa0/0.20

Router(config-if)#encapsulation dot1q 20

Router(config-if)#ip address 192.168.20.1 255.255.255.0


Router(config-if)#ip access-group 111 in



then let the work stations as dhcp client and they will get ip 192.168.20.x if they are part of vlan 20 and will

get 192.168.10.x if part of vlan 10.and you will be able to ping 192.168.20.1 from users in vlan 20 .


since we have access list now ,these 2 vlans will not communicate with each other.



HTH


regards,

Mukti

cadet alain Tue, 03/06/2012 - 11:42
User Badges:
  • Purple, 4500 points or more

Hi,


on the router do this:

access-list 198 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 198 permit ip any any

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 permit 192.168.11.0 0.0.0.255

ip nat inside source list 10 interface x/x      where x/x is your WAN interface

ip dhcp excluded 192.168.10.1

ip dhcp excluded 192.168.11.1

no ip dhcp conflict

ip dhcp pool VLAN1POOL

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 193.231.100.130 193.231.100.134

ip dhcp pool VLAN2POOL

network 192.168.11.0 255.255.255.0

default-router 192.168.11.1

dns-server 193.231.100.130 193.231.100.134


default interface f0/1

interface f0/1

no ip address

no sh

int f0/0.1

encap dot1q 1 native

ip add 192.168.10.1 255.255.255.0

ip nat inside

ip access-group 198 in

int f0/1.2

encap dot1q 2

ip address 192.168.11.1 255.255.255.0

ip nat inside


Now you also have to tell us how you're connected to the internet to give you the rest of the config.


Could you also tell us which port of the switch is connected to the router.


Regards.


Alain

danielnitoi Wed, 03/07/2012 - 22:24
User Badges:

Wow.. there are so many answers that i don't know which is the best one. I will try theese variants to see the result.

I didn't mentioned that i have to do some port forwarding for the web server on the router.(EX: ip nat inside source static.....)


Regards..

Daniel

danielnitoi Thu, 03/08/2012 - 00:09
User Badges:

I made some modifications on switch and router's configuration. I  defined on router two subinterfaces, dhcp pool, and now i can ping both  subinterfaces of the router from any switch vlan.

One step is done.


Now i want to forward any ip from wan on http port to  the web server, but when i try to ping from router's console the web  server, it doesn't work. Any ideas?

Mukti chandwani Thu, 03/08/2012 - 15:47
User Badges:

perfact.what is the internal ip of web server?are you saying you canot ping it from router?it should not be the case if

server ip is on  192.168.10.x subnet.


for port forwording



lets take it as

web server internal ip-x.x.xx

outside wan ip- y.y.y.y


then statment would be like


ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 ext



to test this what you need to do is


try telnet to port 80 from outside on ip y.y.y.y


from outside machine as

telnet y.y.y.y 80


you would see entry on the router in

show ip nat translation


HTH


Regards,

Mukti

danielnitoi Thu, 03/08/2012 - 22:51
User Badges:

"ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 ext" is exactly what i did but still i cannot ping my web server from router (i used hyperterminal to connect to router's serial interface).

I also connected my web server directly in the router's fastethernet 0/1 interface (lan int.) and another computer to the wan port to see if NAT works. Still no result. I read about some ACL-s (access lists). How to use them? if i create something like this: "access-list 10 permit any" to which interface should i apply this rule?

Mukti chandwani Thu, 03/08/2012 - 23:53
User Badges:

post the fooliwng ouput:


ipconfig/all from webserver


from router:


show run int f0/1

show run int f0/0

show interface f0/1

sh run | in ip nat

ping

danielnitoi Mon, 03/12/2012 - 07:56
User Badges:

router#show run int fastet 0/1

Building configuration...


Current configuration : 163 bytes

!

interface FastEthernet0/1

description $ES_LAN$

no ip address

ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

end



router#show run int fastet 0/0

Building configuration...


Current configuration : 186 bytes

!

interface FastEthernet0/0

ip address 89.x.x.x  255.255.255.252

ip nat outside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

end



FastEthernet0/1 is up, line protocol is up

  Hardware is Gt96k FE, address is 0027.0dc2.3747 (bia 0027.0dc2.3747)

  Description: $ES_LAN$

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:59, output 00:00:03, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     401 packets input, 34866 bytes

     Received 293 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     417 packets output, 35141 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface reset

0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out



Pro Inside global      Inside local       Outside local      Outside global

tcp 89.x.x.x:80      192.168.10.4:85          ---                      ---

Mukti chandwani Mon, 03/12/2012 - 08:43
User Badges:

Few Points:


1.You have not sent ipconfig/all from the webserver.Please post that and ping from webserver to router LAN.


2. No need of ip nat enable in conjuction with nat inside and outside.You can remove ip nat enable.


3.Ip nat inside has to be assigned on subinterface of LAN f0/1 ,not main interface.Please change that.


4.Your NAT entry is incorrect It is directing traffic coming on port 80 to webserver on port 85.I belive you want port 80 to go to port 80 on lan.Is not?



HTH


Regards,

Mukti

danielnitoi Mon, 03/12/2012 - 23:41
User Badges:

My webserver runs on port 85. I made that NAT entry on my fast0/1.1 subinterface and now it works just fine. However i still have one little problem. When i try to ping from LAN the outside WAN (an ip address), it doesn't work. Works only the ping to the outside interface (fast0/0). What i am missing? How to use access-lists?Do i need them?

Mukti chandwani Tue, 03/13/2012 - 00:33
User Badges:

1.do you mean ping  89.x.x.x  (interface ip) works and

ping  89.x.x.x(interface ip)source f0/0.1 does not? or are you tring to ping ISP next hop.


please make sure you have f0/0.1 up/up when you are trying to ping local WAN ip.


2. is internet working ?

please paste output of

sh run | in ip nat

Mukti chandwani Tue, 03/13/2012 - 00:35
User Badges:

Sorry .Mistyped.I meant  please make sure you have f0/1.1 up/up when you are trying to ping local WAN ip

Actions

This Discussion