Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
4
Replies

new to vlans

dkearns1069
Level 1
Level 1

‎01-16-2013 04:13 AM - edited ‎03-07-2019 11:07 AM

Hi all,

Hope you can help, have been asked to look into setting up some vlans and could do with some basic information/assistance.

Initally we would like to vlan one office (more to come later). we have a cisco 2800 router which we can use for controlling our vlans.

Our set up is like this :

cisco 2911 (Managed and very little control over) this houses our external internet link

cisco 2800 (Full control over, doing nothing now)

Ive currently set

fa0/0 to 192.168.10.5 talk to the 2911 which is on 192.168.10.1 and hopefully try to use this link as our "uplink" to the internet

fa0/1 is set to 172.16.15.254 which is main buildings network, so i can communicate with the router etc

fa/0/1/1 I have (hopefully) put into vlan20 on 10.10.10.1 (hopefully to be the gateway for 10.10.10.0 network which is to be the other building)

and i have a test computer on 10.10.10.2.

from the 2800 i can ping all addresses (uplink on 192.168.10.1, main network 172.16.10.0 and the test computer 10.10.10.2)

from the computer i can ping the router 10.10.10.1.

What I will eventually need to do, is have vlan20 network with internet access via the 192.168.10.1 link, and also to our servers.

I feel i am missing some step and have spent a few days now trying to learn cisco/routing/gateways to no avail. I believe i need to gateway the vlan via the internet link, to give them internet access (manually putting the computer on a 192 address gatewayed to the internet router works). and eventually The vlan20 will need access to our servers aswell as they will be accessing information from those (which are currently on the main network (172.*)

[spoiler]

Using 1702 out of 196600 bytes

!

version 12.4

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname KHVIII-Router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 <removed>

enable password <removed>

!

no aaa new-model

ip cef

!

!

!

!

ip name-server 172.16.10.12

!

!

crypto pki trustpoint TP-self-signed-2442068499

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2442068499

revocation-check none

rsakeypair TP-self-signed-2442068499

!

!

crypto pki certificate chain TP-self-signed-2442068499

certificate self-signed 01 nvram:IOS-Self-Sig#3939.cer

username admin privilege 15 password 0 <removed>

!

!

!

!

interface FastEthernet0/0

ip address 192.168.10.5 255.255.255.0

speed auto

full-duplex

no mop enabled

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 172.16.15.254 255.255.248.0

duplex auto

speed auto

!

interface FastEthernet0/1/0

description VLan 20 - IT Support

switchport access vlan 20

duplex full

speed 10

!

interface FastEthernet0/1/1

shutdown

!

interface FastEthernet0/1/2

shutdown

!

interface FastEthernet0/1/3

shutdown

!

interface Vlan1

no ip address

shutdown

!

interface Vlan20

ip address 10.10.10.1 255.255.255.0

!

ip default-gateway 192.168.10.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.16.10.1

ip route 10.10.10.0 255.255.255.0 192.168.1.1

!

ip http server

ip http authentication local

ip http secure-server

!

snmp-server community public RO

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password <removed>

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

[/spoiler]

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎01-16-2013 01:38 PM

Daniel

I would say that you have made a pretty good start. I see a couple of things in the config that you have posted.

- the default-gateway command would be used only if the router starts acting as an IP host. Having the command in the config does not hurt anything, but it is not accomplishing much.

- you have a static route for 10.10.10.0 which you do not need. That subnet is a connected route and therefore you do not need a route statement for it. And why would you use 192.168.1.1 as the next hop?

- you have a static default route configured, which is a good thing. But why use 172.16.10.1 as the next hop? It would seem to make more sense to use 192.168.10.1 as the next hop.

You tell us that the test computer can ping the router at 10.10.10.1. But you do not tell us whether the test computer can ping anything else? As a start can the test computer ping the fa0/0 and fa0/1 interfaces on the 2800 router? For the test computer to ping the 2911 your posted config should work - but you will need a route on the 2911 that gets to 10.10.10.0 using the 2800 as a next hop. Similarly your config should route packets from the test computer to the main building network. But that network needs a route back to 10.10.10.0 for communications to be successful.

HTH

Rick

HTH

Rick
0 Helpful

dkearns1069
Level 1
Level 1
In response to Richard Burts

‎01-17-2013 01:52 AM

Thanks for the reply!

(and for not laughing at my config )

1) I read later in the day regarding default-gateway, so have removed that.

2) I was hoping to use 192.168.10.1 as a gateway to give access, but got it wrong have removed that aswell.

3) 172.16.10.1 was entered by mistake. guess my hands are on auto from working with our normal network, it was as you correctly said, intended to be 192.168.10.1.

some more info for you, if i directly connect the test pc to the 911, on a 192.10.10.0 ip and put the 911 as the gateway, i can connect to the internet just fine.

putting the test pc back onto the 2800, in its 10.10.10.2 address, i can ping all the up/up interfaces on the 2800 (this surprised me actually, i was expecting them to be "seperate". But that was just my impression.

Trying to ping 192.168.10.1 (the 2911) failes with a time out.

Due to the nature of the traffic on the remote building, The end-goal is hopefully to have vlan20 on a seperate range of ip's to the main network, without communications to the main network, other than our housed servers and internet. I suspect I will need to vlan the servers and enable routing between them. but I'm trying to learn one step at a time.

Thanks for the help so far.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to dkearns1069

‎01-17-2013 11:26 AM

Daniel

I certainly agree about trying to learn one step at a time. And it looks to me like you are making progress.

I believe that when you attempt to ping from the test PC to the 2911 your ping gets to the 2911. But it does not have a route for the 10.10.10 network and so can not send a response. If you (or someone who has access) can configure a route on the 2911 for 10.10.10 with the 2800 as the next hop then I believe that you would be able to ping the 2911.

Once you can ping the 2911 you might want to try access to the Internet. I predict that you will have problems with that and that the problem will be about doing Network Address Translation for the 10.10.10 network. But go one step at a time.

HTH

Rick

HTH

Rick
0 Helpful

dkearns1069
Level 1
Level 1
In response to Richard Burts

‎01-22-2013 12:45 AM

I will get a call logged with our ISP regarding the 2911 and let you know what happens.

Thanks thus far.

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card