cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2708
Views
0
Helpful
17
Replies

How to configure a cisco 2940 switch to work with cisco 1841 router?

danielnitoi
Level 1
Level 1

Hello everybody. I am new on this forum, i browsed theese pages for a couple of days but i cannot find a solution to my problem.

I'm a beginner in this domain and i will try to explain what i want to do as clearly as possible:

I have a Cisco 2940 switch and a Cisco 1841 router. I want to build two different VLAN networks on the switch, which do not have to communicate one with each other, but those VLANS should communicate with the router.

I read a lot of articles, i tried to configure properly the switch and the router but i still don't get them work.

I set on the switch, the GigabitEthernet 0/1 port to Trunk port and i had to set it a native VLAN. The problem is that only from that native VLAN, i can ping the router.

I'm not sure i understood how theese devices work... Please help.

Thanks

17 Replies 17

Mukti chandwani
Level 1
Level 1

Hello,

I am not clear  when you say I am only able to ping router from native vlan.Do you mean you can ping router interface from users in native vlan and other vlan is not communicating to router?

Could you please paste config for both switch and router mentioing connected ports

Yes. I can ping router interface from users in native vlan but can't ping from any other vlan.

This is the configuration of the cisco switch:

Using 3703 out of 32768 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname exit

!

!

errdisable recovery cause link-flap

errdisable recovery interval 60

ip subnet-zero

ip dhcp database 1

!

udld aggressive

!

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

macro global description cisco-global

!

!

interface FastEthernet0/1

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/2

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/3

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/4

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/5

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/6

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/7

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/8

switchport access vlan 2

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos cos override

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping trust

!

interface GigabitEthernet0/1

switchport mode trunk

switchport nonegotiate

flowcontrol receive desired

mls qos trust cos

macro description cisco-wireless

spanning-tree portfast trunk

spanning-tree bpduguard enable

!

interface Vlan1

ip address 192.168.10.3 255.255.255.0

no ip route-cache

shutdown

!

interface Vlan2

ip address 192.168.10.3 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.10.1

ip http server

And this is the router configuration:

Using 1511 out of 196600 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.1

!

ip dhcp pool sdm-pool1

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.1

!

!

ip name-server 193.231.100.130

ip name-server 193.231.100.134

vlan ifdescr detail

multilink bundle-name authenticated

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0/1

description $ES_LAN$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

vlan-range dot1q 1 2 native

  exit-vlan-config

!

no cdp enable

!

!

!

!

access-list 1 remark SDM_ACL Category=18

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 101 permit tcp any any

dialer-list 1 protocol ip permit

The main idea is simple. I want to create two VLAN networks, one of them is for a web server and the other one is for workstations. Both should be able to get outside (on the internet) but they cannot communicate one with each other.

First thing I see is that you have both Vlans on the same subnet. It would be much better if you could segment your Vlans like below:

interface Vlan1

ip address 192.168.10.3 255.255.255.0

no ip route-cache

no shut

!

interface Vlan2

ip address 192.168.11.3 255.255.255.0

no ip route-cache

Secondly you will need to have a DHCP pool for each of the subnets on the router. It would be advisable also to do sub-interfaces on the interface that connects to the switch.

interface FastEthernet0/1

description $ES_LAN$

no ip address

interface FastEthernet0/1.1

encapsulation dot1Q 1

ip address 192.168.10.1 255.255.255.0

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 192.168.11.1 255.255.255.0

Hope this helps.

Are you saying you are using same subnet on 2 interfaces of the same switch.?We cannot have same subnet on 2 interfaces .

Please use following configuration on switch and router

vlan 10- 192.168.10.x--webervers

vlan 20- 192.168.20.x---work stations

On switch:

=============

switch(Config)#vlan 10

switch(Config)#vlan 20

switch(Config)#int gig0/1

switch(Config-if)#switchport trunk encapsulation dot1q

switch(Config-if)#switchport mode trunk

switch(Config)#int vlan 10

switch(Config-if)#ip address 192.168.10.2 255.255.255.0

switch(Config-if)#no shut

switch(Config)#int vlan 20

switch(Config-if)#ip address 192.168.20.2 255.255.255.0

switch(Config-if)#no shut

switch(Config-if)#exit

switch(Config)#ip default-gateway 192.168.10.1

On router

================

Router(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.2

Router(config)#ip dhcp excluded-address 192.168.20.1 192.168.20.2

R1(config)#ip dhcp pool servers

R1(dhcp-config)#network 192.168.10.0 255.255.255.0

R1(dhcp-config)#default-router 192.168.10.1

R1(config)#ip dhcp pool work-stations

R1(dhcp-config)#network 192.168.20.0 255.255.255.0

R1(dhcp-config)#default-router 192.168.20.1

Router(config)#ip access-list extended 110

Router(config-nacl)#deny ip any 192.168.20.0 0.0.0.255

Router(config-nacl)#permit ip any any

Router(config)#ip access-list extended 111

Router(config-nacl)#deny ip any 192.168.10.0 0.0.0.255

Router(config-nacl)#permit ip any any

Router(config)#int Fa0/0

Router(config-if)#no ip address

Router(config-if)#int Fa0/0.10

Router(config-if)#encapsulation dot1q 10

Router(config-if)#ip address 192.168.10.1 255.255.255.0

Router(config-if)#ip access-group 110 in

Router(config-if)#int Fa0/0.20

Router(config-if)#encapsulation dot1q 20

Router(config-if)#ip address 192.168.20.1 255.255.255.0

Router(config-if)#ip access-group 111 in

then let the work stations as dhcp client and they will get ip 192.168.20.x if they are part of vlan 20 and will

get 192.168.10.x if part of vlan 10.and you will be able to ping 192.168.20.1 from users in vlan 20 .

since we have access list now ,these 2 vlans will not communicate with each other.

HTH

regards,

Mukti

Hi,

on the router do this:

access-list 198 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 198 permit ip any any

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 permit 192.168.11.0 0.0.0.255

ip nat inside source list 10 interface x/x      where x/x is your WAN interface

ip dhcp excluded 192.168.10.1

ip dhcp excluded 192.168.11.1

no ip dhcp conflict

ip dhcp pool VLAN1POOL

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 193.231.100.130 193.231.100.134

ip dhcp pool VLAN2POOL

network 192.168.11.0 255.255.255.0

default-router 192.168.11.1

dns-server 193.231.100.130 193.231.100.134

default interface f0/1

interface f0/1

no ip address

no sh

int f0/0.1

encap dot1q 1 native

ip add 192.168.10.1 255.255.255.0

ip nat inside

ip access-group 198 in

int f0/1.2

encap dot1q 2

ip address 192.168.11.1 255.255.255.0

ip nat inside

Now you also have to tell us how you're connected to the internet to give you the rest of the config.

Could you also tell us which port of the switch is connected to the router.

Regards.

Alain

Don't forget to rate helpful posts.

Wow.. there are so many answers that i don't know which is the best one. I will try theese variants to see the result.

I didn't mentioned that i have to do some port forwarding for the web server on the router.(EX: ip nat inside source static.....)

Regards..

Daniel

I made some modifications on switch and router's configuration. I  defined on router two subinterfaces, dhcp pool, and now i can ping both  subinterfaces of the router from any switch vlan.

One step is done.

Now i want to forward any ip from wan on http port to  the web server, but when i try to ping from router's console the web  server, it doesn't work. Any ideas?

perfact.what is the internal ip of web server?are you saying you canot ping it from router?it should not be the case if

server ip is on  192.168.10.x subnet.

for port forwording

lets take it as

web server internal ip-x.x.xx

outside wan ip- y.y.y.y

then statment would be like

ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 ext

to test this what you need to do is

try telnet to port 80 from outside on ip y.y.y.y

from outside machine as

telnet y.y.y.y 80

you would see entry on the router in

show ip nat translation

HTH

Regards,

Mukti

"ip nat inside source static tcp x.x.x.x 80 y.y.y.y 80 ext" is exactly what i did but still i cannot ping my web server from router (i used hyperterminal to connect to router's serial interface).

I also connected my web server directly in the router's fastethernet 0/1 interface (lan int.) and another computer to the wan port to see if NAT works. Still no result. I read about some ACL-s (access lists). How to use them? if i create something like this: "access-list 10 permit any" to which interface should i apply this rule?

post the fooliwng ouput:

ipconfig/all from webserver

from router:

show run int f0/1

show run int f0/0

show interface f0/1

sh run | in ip nat

ping

router#show run int fastet 0/1

Building configuration...

Current configuration : 163 bytes

!

interface FastEthernet0/1

description $ES_LAN$

no ip address

ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

end

router#show run int fastet 0/0

Building configuration...

Current configuration : 186 bytes

!

interface FastEthernet0/0

ip address 89.x.x.x  255.255.255.252

ip nat outside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

end

FastEthernet0/1 is up, line protocol is up

  Hardware is Gt96k FE, address is 0027.0dc2.3747 (bia 0027.0dc2.3747)

  Description: $ES_LAN$

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:59, output 00:00:03, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     401 packets input, 34866 bytes

     Received 293 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     417 packets output, 35141 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface reset

0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

Pro Inside global      Inside local       Outside local      Outside global

tcp 89.x.x.x:80      192.168.10.4:85          ---                      ---

Few Points:

1.You have not sent ipconfig/all from the webserver.Please post that and ping from webserver to router LAN.

2. No need of ip nat enable in conjuction with nat inside and outside.You can remove ip nat enable.

3.Ip nat inside has to be assigned on subinterface of LAN f0/1 ,not main interface.Please change that.

4.Your NAT entry is incorrect It is directing traffic coming on port 80 to webserver on port 85.I belive you want port 80 to go to port 80 on lan.Is not?

HTH

Regards,

Mukti

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: