02-05-2012 04:16 PM - edited 03-07-2019 04:44 AM
Hi
I recently set up a small photography business and am trying to get a Cisco 877 and Cisco SG300-10 switch to talk to each other.
What I want is for the Cisco 877 to handle the internet and the SG300-10 to handle the local network,
I have set up 2 vlans in trunk mode on the switch and want vlan2 to manage local traffic and vlan3 to handle the internet.
I have got the 877 connecting to the internet what I dont have and this is where I need some advice is traffic going to vlan2 on the switch from the 877
Can someone have a look at the running configs for the switch and the router and tell me how to get the vlan on the router to pass traffic to the switch.
In a nutshell I am inserting the internet into the switch but am not sure how to progress.
I have the c870-advipservicesk9 image file on the router.
Many thanks in advance
Switch Config
interface gi2
description connection-to-data-vlan
exit
interface gi3
description connection-to-internet-vlan
exit
vlan database
vlan 10,20
exit
voice vlan interface vlan 10
ip address 192.168.0.20 255.255.255.0
exit
interface vlan 20
ip address 192.168.4.2 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 192.168.4.1
bonjour interface range vlan 1
hostname switch
no snmp-server server
ip domain name h4photo
ip name-server 192.168.0.1
interface gigabitethernet1
switchport trunk native vlan 10
exit
interface gigabitethernet2
switchport trunk native vlan 10
exit
interface gigabitethernet3
switchport trunk native vlan 20
exit
interface gigabitethernet4
switchport trunk native vlan 10
exit
interface gigabitethernet5
switchport trunk native vlan 10
exit
interface gigabitethernet6
switchport trunk native vlan 10
exit
interface gigabitethernet7
switchport trunk native vlan 10
exit
interface gigabitethernet8
switchport trunk native vlan 10
exit
interface gigabitethernet9
switchport trunk native vlan 10
exit
interface gigabitethernet10
switchport trunk native vlan 10
exit
Router Config
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3755051922
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3755051922
revocation-check none
rsakeypair TP-self-signed-3755051922
!
!
crypto pki certificate chain TP-self-signed-3755051922
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373535 30353139 3232301E 170D3132 30313233 31333137
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353530
35313932 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C047 3D12CA6C 6E0B81FD 92AE06A9 D9F5E328 E146A0B2 4CD14AFD 29912FA4
0993DC51 7C7DDA8D 4609CA70 972AB135 5899BA69 5CEB3D85 50C378E9 6AC3CB55
384E7C16 B9E62F58 2C330E7D CD54BE60 5DA0F0BA F5C104F8 9CBE3EA7 68430950
BD74B25F 8DD4DCB7 731AEE0D 8158952E 4A6D0212 44608CCA 0BBFB1F7 3744DCC5
19350203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13726F75 7465722E 73746576 656E736F 6E2E6363 301F0603
551D2304 18301680 147442F8 2B37E214 CB46C6E5 AF7E5FA8 617A4A91 2C301D06
03551D0E 04160414 7442F82B 37E214CB 46C6E5AF 7E5FA861 7A4A912C 300D0609
2A864886 F70D0101 04050003 81810057 050EE540 8632C98F AF58E787 CAC33DAC
44CB9105 4DE3647F 056E0738 480194C0 5F470423 4FA24495 11667953 302082BB
EDED67FB F71E8DA1 AE8F84CC A561F8E4 EBFA5E27 3EA83D8C 31D70877 A69EAD34
0217E823 198648F5 4091773D 49A771F6 A9630DB9 4D63A15A F7FDFE37 1C440A13
43993D34 A3CC1B86 937AC423 6D74FB
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.20
!
ip dhcp pool local-pool
import all
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
lease 6 23 59
!
!
ip cef
ip domain name h4photo.co.uk
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxxx privilege 15 password 0 xxxxxxx
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
ip access-group 102 out
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Vlan1
ip address 192.168.4.1 255.255.255.224
ip access-group 101 in
ip mtu 1242
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
!
interface Dialer1
description adsl dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1432
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxx@xxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
02-05-2012 06:19 PM
If you are running IOS version 12.4 or 15.X in your 870 router, this will only limit the number of VLAN support to TWO (2) with VLAN 1 included.
If you want to run more than 2 VLANs then you need to downgrade the IOS to 12.3.
02-06-2012 01:07 AM
Hi Leolaohoo
Thanks for the reply I am a bit confused here I added 3 more vlans on the 877 without any problem (see startup-config below) are you saying that even though I can add up to 4 vlans what I want to do will not work with IOS 12.4 and will need to go to 12.3.
I thought that if one has ADVANCED IP SERVICES there are 4 vlans available and if one has
ADVANCED SECURITY you only have 2 vlans
Why do I need more than 1 working vlan on the router, is it not possible for all traffic that is in the 192.168.0.0 range to be handled by the switch and anything that is not meant for the 192.168.0.0 network to go out to the router.
I am sure this is not difficult to do maybe you could point me to an example of how to configure this.
Regards Robert
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3755051922
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3755051922
revocation-check none
rsakeypair TP-self-signed-3755051922
!
!
crypto pki certificate chain TP-self-signed-3755051922
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373535 30353139 3232301E 170D3132 30313234 32323432
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353530
35313932 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C047 3D12CA6C 6E0B81FD 92AE06A9 D9F5E328 E146A0B2 4CD14AFD 29912FA4
0993DC51 7C7DDA8D 4609CA70 972AB135 5899BA69 5CEB3D85 50C378E9 6AC3CB55
384E7C16 B9E62F58 2C330E7D CD54BE60 5DA0F0BA F5C104F8 9CBE3EA7 68430950
BD74B25F 8DD4DCB7 731AEE0D 8158952E 4A6D0212 44608CCA 0BBFB1F7 3744DCC5
19350203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14726F75 7465722E 68347068 6F746F2E 636F2E75 6B301F06
03551D23 04183016 80147442 F82B37E2 14CB46C6 E5AF7E5F A8617A4A 912C301D
0603551D 0E041604 147442F8 2B37E214 CB46C6E5 AF7E5FA8 617A4A91 2C300D06
092A8648 86F70D01 01040500 03818100 268D58B9 5959742F E97F7A92 F0807EA1
956AEA40 A3A2EE29 63B30851 8B4BCF14 4D722C93 D2CDEE4A F506CCC9 237CE9CD
F541A75B 4C46D144 4A14BD59 FA30E47E C782AEC3 E61955E6 1BA2D104 DDF43B3B
FB0FD111 B1712DB8 E08C5A1C 40DA219C 95E8CF9D 8A79817B 553E9C90 64F0BB3C
EAB07126 F9D4FD0D 7C47E786 F0A19FB9
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.20
!
ip dhcp pool local-pool
import all
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
lease 6 23 59
!
!
ip cef
ip domain name h4photo.co.uk
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxxx privilege 15 password 0 xxxxxx
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
ip access-group 102 out
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Vlan1
ip address 192.168.4.1 255.255.255.224
ip access-group 101 in
ip mtu 1242
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
!
interface Vlan2
description vlan2
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description vlan3
ip address 192.168.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description vlan4
ip address 192.168.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description adsl dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1432
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx@xxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
02-06-2012 03:16 PM
Sorry, me bad. I got my numbers wrong. The 870, when running IOS version 12.4, can support up to 4 VLANs.
02-06-2012 03:32 PM
On vlan 1 interface on router you have "ip access-group 101 in", but I see "access-list 100 ......". Is that access-group statement refers to acl 100?
Which is your management vlan?
02-06-2012 04:00 PM
Hi Eugen
I put the ip access-group 101 as I was going to put in permissions once I got the system working so it might be wrong, my manangement vlan is vlan 1
Thanks for helping with this
Regards Robert
02-06-2012 04:33 PM
Then you have to change "ip access-group 101 in" to "ip access-group 100 in". The number has to match the ACL number.
Then port that connects the switch to the router should be in trunking mode and assign it to vlan 1.
The other ports on the switch should be in access mode if they are edge ports(not connected to another switch) and assigned to respective vlans.
02-06-2012 08:18 PM
hi robert,
how many VLANs do you intend to use? you need to run a trunk between your switch and 877.
877(config)#int f0
877(config-if)#switchport mode trunk
877(config-if)#switchport trunk encapsulation dot1q
877(config-if)#switchport trunk allowed vlan 1,2,x..
another observation, your 877 needs a lil tweaking but we can do this later on when trunking is already formed and working.
02-07-2012 03:05 AM
Hi John
Thanks for helping with this
I have made FastEthernet0 into a trunk port as requested, what I was hoping to do was to have 1 vlan for the local users to get the internet via the switch and a second vlan coming off the router that could not see the local network but have access to the internet via a wifi access point.
As far as tweaking the settings on the router goes I would be extremely grateful for all the help I can get, the settings in the router are from books I bought on Amazon.
Here is the updated config
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3755051922
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3755051922
revocation-check none
rsakeypair TP-self-signed-3755051922
!
!
crypto pki certificate chain TP-self-signed-3755051922
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373535 30353139 3232301E 170D3132 30313235 31343034
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353530
35313932 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C047 3D12CA6C 6E0B81FD 92AE06A9 D9F5E328 E146A0B2 4CD14AFD 29912FA4
0993DC51 7C7DDA8D 4609CA70 972AB135 5899BA69 5CEB3D85 50C378E9 6AC3CB55
384E7C16 B9E62F58 2C330E7D CD54BE60 5DA0F0BA F5C104F8 9CBE3EA7 68430950
BD74B25F 8DD4DCB7 731AEE0D 8158952E 4A6D0212 44608CCA 0BBFB1F7 3744DCC5
19350203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13726F75 7465722E 73746576 656E736F 6E2E6363 301F0603
551D2304 18301680 147442F8 2B37E214 CB46C6E5 AF7E5FA8 617A4A91 2C301D06
03551D0E 04160414 7442F82B 37E214CB 46C6E5AF 7E5FA861 7A4A912C 300D0609
2A864886 F70D0101 04050003 8181003F 2C96E500 C37896E2 13EC8D93 6CB3F8AB
E9C51648 2D07D985 1D9F254B 974EF3C8 A9485CC7 A5F5F842 24BF32B1 07DB2834
B24A923A 131CF26E 6450C34B 5089C501 F78E5164 E9F6DCA7 B68AEBFE D4E98C4C
6A68AFA1 88686616 980DF38E AE213687 CD4685B5 A8B9DE4F F9223904 5D56423E
B57CC9A8 211D0264 D1FA64BE F77626
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.20
!
ip dhcp pool local-pool
import all
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
lease 6 23 59
!
!
ip cef
ip domain name h4photo.co.uk
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxx privilege 15 password 0 xxxxxx
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport trunk allowed vlan 1,100,200,1002-1005
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Vlan1
ip address 192.168.4.1 255.255.255.224
ip mtu 1242
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
!
interface Dialer1
description adsl dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1432
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx@xxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
02-08-2012 05:43 PM
hi robert,
does your switch supports 802.1Q trunk? if it does, try to configure it on both devices. create an SVI on the 877 and this would be the default gateway for your layer 2 switch VLANs. do note that a VLAN equals 1 subnet. create a DHCP pool on the 877 for each VLAN created.
on your switch, add layer 2 VLANs and assign each interface on that VLAN.
we could later on isolate your wired users from the wifi using an ACL once you get these working.
877:
interface FastEthernet0
switchport trunk encapsulation dot1q
interface Vlan100
description Vlan100
ip address 192.168.100.1 255.255.255.0
interface Vlan200
description Vlan200
ip address 192.168.200.1 255.255.255.0
ip dhcp pool VLAN100
import all
network 192.168.x100.0 255.255.255.0
default-router 192.168.100.1
----
switch:
vlan database
vlan 100,200
interface gigabitethernet x
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,100,200,1002-1005
interface gigabitethernet x
switchport mode access
switchport access vlan 100
interface gigabitethernet x
switchport mode access
switchport access vlan 200
02-09-2012 03:57 PM
Hi John
I will have a look at this over the weekend been away from the office for most of today, the switch is a layer 3 switch I used this video to set up the vlans on the switch.
https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=MC&rID=55688352&rKey=05e1fc5fff0d05da
So I guess that once I have the second vlan set up on the router it is just a matter of allowing traffic to get to the vlans and restricting local traffic from the other vlan.
Thanks again for the help with this.
Regards Robert
02-24-2012 11:41 AM
Hi John
Sorry I have not got back to you in the last few weeks, my wife passed away on the 11th of Feb and its been a bit a hectic, anyway I still need to resolve this. I will have a look at where this is at tomorrow and report back.
Regards
Robert Thomsom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: