03-06-2012 05:15 AM - edited 03-07-2019 05:22 AM
Hello everybody. I am new on this forum, i browsed theese pages for a couple of days but i cannot find a solution to my problem.
I'm a beginner in this domain and i will try to explain what i want to do as clearly as possible:
I have a Cisco 2940 switch and a Cisco 1841 router. I want to build two different VLAN networks on the switch, which do not have to communicate one with each other, but those VLANS should communicate with the router.
I read a lot of articles, i tried to configure properly the switch and the router but i still don't get them work.
I set on the switch, the GigabitEthernet 0/1 port to Trunk port and i had to set it a native VLAN. The problem is that only from that native VLAN, i can ping the router.
I'm not sure i understood how theese devices work... Please help.
Thanks
03-06-2012 06:00 AM
Hello,
I am not clear when you say I am only able to ping router from native vlan.Do you mean you can ping router interface from users in native vlan and other vlan is not communicating to router?
Could you please paste config for both switch and router mentioing connected ports
03-06-2012 06:39 AM
Yes. I can ping router interface from users in native vlan but can't ping from any other vlan.
This is the configuration of the cisco switch:
Using 3703 out of 32768 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname exit
!
!
errdisable recovery cause link-flap
errdisable recovery interval 60
ip subnet-zero
ip dhcp database 1
!
udld aggressive
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
macro global description cisco-global
!
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/5
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/7
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/8
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping trust
!
interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate
flowcontrol receive desired
mls qos trust cos
macro description cisco-wireless
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface Vlan1
ip address 192.168.10.3 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan2
ip address 192.168.10.3 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.10.1
ip http server
03-06-2012 06:43 AM
And this is the router configuration:
Using 1511 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool sdm-pool1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
!
ip name-server 193.231.100.130
ip name-server 193.231.100.134
vlan ifdescr detail
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
vlan-range dot1q 1 2 native
exit-vlan-config
!
no cdp enable
!
!
!
!
access-list 1 remark SDM_ACL Category=18
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 101 permit tcp any any
dialer-list 1 protocol ip permit
03-06-2012 06:45 AM
The main idea is simple. I want to create two VLAN networks, one of them is for a web server and the other one is for workstations. Both should be able to get outside (on the internet) but they cannot communicate one with each other.
03-06-2012 08:07 AM
First thing I see is that you have both Vlans on the same subnet. It would be much better if you could segment your Vlans like below:
interface Vlan1
ip address 192.168.10.3 255.255.255.0
no ip route-cache
no shut
!
interface Vlan2
ip address 192.168.11.3 255.255.255.0
no ip route-cache
Secondly you will need to have a DHCP pool for each of the subnets on the router. It would be advisable also to do sub-interfaces on the interface that connects to the switch.
interface FastEthernet0/1
description $ES_LAN$
no ip address
interface FastEthernet0/1.1
encapsulation dot1Q 1
ip address 192.168.10.1 255.255.255.0
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.11.1 255.255.255.0
Hope this helps.
03-06-2012 08:48 AM
Are you saying you are using same subnet on 2 interfaces of the same switch.?We cannot have same subnet on 2 interfaces .
Please use following configuration on switch and router
vlan 10- 192.168.10.x--webervers
vlan 20- 192.168.20.x---work stations
On switch:
=============
switch(Config)#vlan 10
switch(Config)#vlan 20
switch(Config)#int gig0/1
switch(Config-if)#switchport trunk encapsulation dot1q
switch(Config-if)#switchport mode trunk
switch(Config)#int vlan 10
switch(Config-if)#ip address 192.168.10.2 255.255.255.0
switch(Config-if)#no shut
switch(Config)#int vlan 20
switch(Config-if)#ip address 192.168.20.2 255.255.255.0
switch(Config-if)#no shut
switch(Config-if)#exit
switch(Config)#ip default-gateway 192.168.10.1
On router
================
Router(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.2
Router(config)#ip dhcp excluded-address 192.168.20.1 192.168.20.2
R1(config)#ip dhcp pool servers
R1(dhcp-config)#network 192.168.10.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.10.1
R1(config)#ip dhcp pool work-stations
R1(dhcp-config)#network 192.168.20.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.20.1
Router(config)#ip access-list extended 110
Router(config-nacl)#deny ip any 192.168.20.0 0.0.0.255
Router(config-nacl)#permit ip any any
Router(config)#ip access-list extended 111
Router(config-nacl)#deny ip any 192.168.10.0 0.0.0.255
Router(config-nacl)#permit ip any any
Router(config)#int Fa0/0
Router(config-if)#no ip address
Router(config-if)#int Fa0/0.10
Router(config-if)#encapsulation dot1q 10
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#ip access-group 110 in
Router(config-if)#int Fa0/0.20
Router(config-if)#encapsulation dot1q 20
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#ip access-group 111 in
then let the work stations as dhcp client and they will get ip 192.168.20.x if they are part of vlan 20 and will
get 192.168.10.x if part of vlan 10.and you will be able to ping 192.168.20.1 from users in vlan 20 .
since we have access list now ,these 2 vlans will not communicate with each other.
HTH
regards,
Mukti
03-06-2012 11:42 AM
Hi,
on the router do this:
access-list 198 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 198 permit ip any any
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.11.0 0.0.0.255
ip nat inside source list 10 interface x/x where x/x is your WAN interface
ip dhcp excluded 192.168.10.1
ip dhcp excluded 192.168.11.1
no ip dhcp conflict
ip dhcp pool VLAN1POOL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 193.231.100.130 193.231.100.134
ip dhcp pool VLAN2POOL
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 193.231.100.130 193.231.100.134
default interface f0/1
interface f0/1
no ip address
no sh
int f0/0.1
encap dot1q 1 native
ip add 192.168.10.1 255.255.255.0
ip nat inside
ip access-group 198 in
int f0/1.2
encap dot1q 2
ip address 192.168.11.1 255.255.255.0
ip nat inside
Now you also have to tell us how you're connected to the internet to give you the rest of the config.
Could you also tell us which port of the switch is connected to the router.
Regards.
Alain
03-07-2012 10:24 PM
Wow.. there are so many answers that i don't know which is the best one. I will try theese variants to see the result.
I didn't mentioned that i have to do some port forwarding for the web server on the router.(EX: ip nat inside source static.....)
Regards..
Daniel
03-08-2012 12:09 AM
I made some modifications on switch and router's configuration. I defined on router two subinterfaces, dhcp pool, and now i can ping both subinterfaces of the router from any switch vlan.
One step is done.
Now i want to forward any ip from wan on http port to the web server, but when i try to ping from router's console the web server, it doesn't work. Any ideas?
03-08-2012 03:47 PM
perfact.what is the internal ip of web server?are you saying you canot ping it from router?it should not be the case if
server ip is on 192.168.10.x subnet.
for port forwording
lets take it as
web server internal ip-x.x.xx
outside wan ip- y.y.y.y
then statment would be like
ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 ext
to test this what you need to do is
try telnet to port 80 from outside on ip y.y.y.y
from outside machine as
telnet y.y.y.y 80
you would see entry on the router in
show ip nat translation
HTH
Regards,
Mukti
03-08-2012 10:51 PM
"ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 ext" is exactly what i did but still i cannot ping my web server from router (i used hyperterminal to connect to router's serial interface).
I also connected my web server directly in the router's fastethernet 0/1 interface (lan int.) and another computer to the wan port to see if NAT works. Still no result. I read about some ACL-s (access lists). How to use them? if i create something like this: "access-list 10 permit any" to which interface should i apply this rule?
03-08-2012 11:53 PM
post the fooliwng ouput:
ipconfig/all from webserver
from router:
show run int f0/1
show run int f0/0
show interface f0/1
sh run | in ip nat
ping
03-12-2012 07:56 AM
router#show run int fastet 0/1
Building configuration...
Current configuration : 163 bytes
!
interface FastEthernet0/1
description $ES_LAN$
no ip address
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
end
router#show run int fastet 0/0
Building configuration...
Current configuration : 186 bytes
!
interface FastEthernet0/0
ip address 89.x.x.x 255.255.255.252
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
end
FastEthernet0/1 is up, line protocol is up
Hardware is Gt96k FE, address is 0027.0dc2.3747 (bia 0027.0dc2.3747)
Description: $ES_LAN$
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:59, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
401 packets input, 34866 bytes
Received 293 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
417 packets output, 35141 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface reset
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Pro Inside global Inside local Outside local Outside global
tcp 89.x.x.x:80 192.168.10.4:85 --- ---
03-12-2012 08:43 AM
Few Points:
1.You have not sent ipconfig/all from the webserver.Please post that and ping from webserver to router LAN.
2. No need of ip nat enable in conjuction with nat inside and outside.You can remove ip nat enable.
3.Ip nat inside has to be assigned on subinterface of LAN f0/1 ,not main interface.Please change that.
4.Your NAT entry is incorrect It is directing traffic coming on port 80 to webserver on port 85.I belive you want port 80 to go to port 80 on lan.Is not?
HTH
Regards,
Mukti
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: