cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2399
Views
0
Helpful
11
Replies

Inter-VLAN routing using a Cisco 877 and Cisco SG300-10 switch?

h4phototech
Level 1
Level 1

Hi

I recently set up a small photography business and am trying to get a Cisco 877 and Cisco SG300-10 switch to talk to each other.

What I want is for the Cisco 877 to handle the internet and the SG300-10 to handle the local network,

I have set up 2 vlans in trunk mode on the switch and want vlan2 to manage local traffic and vlan3 to handle the internet.

I have got the 877 connecting to the internet what I dont have and this is where I need some advice is traffic going to vlan2 on the switch from the 877

Can someone have a look at the running configs for the switch and the router and tell me how to get the vlan on the router to pass traffic to the switch.

In a nutshell I am inserting the internet into the switch but am not sure how to progress.

I have the c870-advipservicesk9 image file on the router.

Many thanks in advance

Switch Config

interface  gi2

description connection-to-data-vlan

exit

interface  gi3

description connection-to-internet-vlan

exit

vlan database

vlan 10,20

exit

voice vlan interface vlan 10

ip address 192.168.0.20 255.255.255.0

exit

interface vlan 20

ip address 192.168.4.2 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 192.168.4.1 

bonjour interface range vlan 1

hostname switch

no snmp-server server

ip domain name h4photo

ip name-server  192.168.0.1

interface gigabitethernet1

switchport trunk native vlan 10

exit

interface gigabitethernet2

switchport trunk native vlan 10

exit

interface gigabitethernet3

switchport trunk native vlan 20

exit

interface gigabitethernet4

switchport trunk native vlan 10

exit

interface gigabitethernet5

switchport trunk native vlan 10

exit

interface gigabitethernet6

switchport trunk native vlan 10

exit

interface gigabitethernet7

switchport trunk native vlan 10

exit

interface gigabitethernet8

switchport trunk native vlan 10

exit

interface gigabitethernet9

switchport trunk native vlan 10

exit

interface gigabitethernet10

switchport trunk native vlan 10

exit

Router Config

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3755051922

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3755051922

revocation-check none

rsakeypair TP-self-signed-3755051922

!

!

crypto pki certificate chain TP-self-signed-3755051922

certificate self-signed 01

  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33373535 30353139 3232301E 170D3132 30313233 31333137

  31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353530

  35313932 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C047 3D12CA6C 6E0B81FD 92AE06A9 D9F5E328 E146A0B2 4CD14AFD 29912FA4

  0993DC51 7C7DDA8D 4609CA70 972AB135 5899BA69 5CEB3D85 50C378E9 6AC3CB55

  384E7C16 B9E62F58 2C330E7D CD54BE60 5DA0F0BA F5C104F8 9CBE3EA7 68430950

  BD74B25F 8DD4DCB7 731AEE0D 8158952E 4A6D0212 44608CCA 0BBFB1F7 3744DCC5

  19350203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

  551D1104 17301582 13726F75 7465722E 73746576 656E736F 6E2E6363 301F0603

  551D2304 18301680 147442F8 2B37E214 CB46C6E5 AF7E5FA8 617A4A91 2C301D06

  03551D0E 04160414 7442F82B 37E214CB 46C6E5AF 7E5FA861 7A4A912C 300D0609

  2A864886 F70D0101 04050003 81810057 050EE540 8632C98F AF58E787 CAC33DAC

  44CB9105 4DE3647F 056E0738 480194C0 5F470423 4FA24495 11667953 302082BB

  EDED67FB F71E8DA1 AE8F84CC A561F8E4 EBFA5E27 3EA83D8C 31D70877 A69EAD34

  0217E823 198648F5 4091773D 49A771F6 A9630DB9 4D63A15A F7FDFE37 1C440A13

  43993D34 A3CC1B86 937AC423 6D74FB

      quit

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.4.1 192.168.4.20

!

ip dhcp pool local-pool

   import all

   network 192.168.4.0 255.255.255.0

   default-router 192.168.4.1

   lease 6 23 59

!

!

ip cef

ip domain name h4photo.co.uk

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username xxxxxx privilege 15 password 0 xxxxxxx

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

ip access-group 102 out

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description Vlan1

ip address 192.168.4.1 255.255.255.224

ip access-group 101 in

ip mtu 1242

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

!

interface Dialer1

description adsl dialer

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1432

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxxxxxxx@xxxxxxxxxxx

ppp chap password 0 xxxxxxxxxxxxxx

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 100 permit ip 192.168.4.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

11 Replies 11

Leo Laohoo
Hall of Fame
Hall of Fame

If you are running IOS version 12.4 or 15.X in your 870 router, this will only limit the number of VLAN support to TWO (2) with VLAN 1 included.

If you want to run more than 2 VLANs then you need to downgrade the IOS to 12.3.

Hi Leolaohoo

Thanks for the reply I am a bit confused here I added 3 more vlans on the 877 without any problem (see startup-config below) are you saying that even though I can add up to 4 vlans what I want to do will not work with IOS 12.4 and will need to go to 12.3.

I thought that if one has ADVANCED IP SERVICES there are 4 vlans available and if one has

ADVANCED SECURITY you only have 2 vlans

Why do I need more than 1 working vlan on the router, is it not possible for all traffic that is in the 192.168.0.0 range to be handled by the switch and anything that is not meant for the 192.168.0.0 network to go out to the router.

I am sure this is not difficult to do maybe you could point me to an example of how to configure this.

Regards Robert

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3755051922

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3755051922

revocation-check none

rsakeypair TP-self-signed-3755051922

!

!

crypto pki certificate chain TP-self-signed-3755051922

certificate self-signed 01

  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33373535 30353139 3232301E 170D3132 30313234 32323432

  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353530

  35313932 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C047 3D12CA6C 6E0B81FD 92AE06A9 D9F5E328 E146A0B2 4CD14AFD 29912FA4

  0993DC51 7C7DDA8D 4609CA70 972AB135 5899BA69 5CEB3D85 50C378E9 6AC3CB55

  384E7C16 B9E62F58 2C330E7D CD54BE60 5DA0F0BA F5C104F8 9CBE3EA7 68430950

  BD74B25F 8DD4DCB7 731AEE0D 8158952E 4A6D0212 44608CCA 0BBFB1F7 3744DCC5

  19350203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603

  551D1104 18301682 14726F75 7465722E 68347068 6F746F2E 636F2E75 6B301F06

  03551D23 04183016 80147442 F82B37E2 14CB46C6 E5AF7E5F A8617A4A 912C301D

  0603551D 0E041604 147442F8 2B37E214 CB46C6E5 AF7E5FA8 617A4A91 2C300D06

  092A8648 86F70D01 01040500 03818100 268D58B9 5959742F E97F7A92 F0807EA1

  956AEA40 A3A2EE29 63B30851 8B4BCF14 4D722C93 D2CDEE4A F506CCC9 237CE9CD

  F541A75B 4C46D144 4A14BD59 FA30E47E C782AEC3 E61955E6 1BA2D104 DDF43B3B

  FB0FD111 B1712DB8 E08C5A1C 40DA219C 95E8CF9D 8A79817B 553E9C90 64F0BB3C

  EAB07126 F9D4FD0D 7C47E786 F0A19FB9

      quit

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.4.1 192.168.4.20

!

ip dhcp pool local-pool

   import all

   network 192.168.4.0 255.255.255.0

   default-router 192.168.4.1

   lease 6 23 59

!

!

ip cef

ip domain name h4photo.co.uk

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username xxxxxx privilege 15 password 0 xxxxxx

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

ip access-group 102 out

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description Vlan1

ip address 192.168.4.1 255.255.255.224

ip access-group 101 in

ip mtu 1242

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

!

interface Vlan2

description vlan2

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan3

description vlan3

ip address 192.168.6.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan4

description vlan4

ip address 192.168.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

description adsl dialer

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1432

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxxxx@xxxxxxxxxxxx

ppp chap password 0 xxxxxxxxxxx

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 100 permit ip 192.168.4.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

Sorry, me bad.  I got my numbers wrong.  The 870, when running IOS version 12.4, can support up to 4 VLANs. 

On vlan 1 interface on router you have "ip access-group 101 in", but I see "access-list 100 ......". Is that access-group statement refers to acl 100?

Which is your management vlan?

Hi Eugen

I put the ip access-group 101 as I was going to put in  permissions once I got the system working so it might be wrong, my  manangement vlan is vlan 1

Thanks for helping with this

Regards Robert

Then you have to change "ip access-group 101 in" to "ip access-group 100 in". The number has to match the ACL number.

Then port that connects the switch to the router should be in trunking mode and assign it to vlan 1.

The other ports on the switch should be in access mode if they are edge ports(not connected to another switch) and assigned to respective vlans.

hi robert,

how many VLANs do you intend to use? you need to run a trunk between your switch and 877.

877(config)#int f0

877(config-if)#switchport mode trunk

877(config-if)#switchport trunk encapsulation dot1q

877(config-if)#switchport trunk allowed vlan 1,2,x..

another observation, your 877 needs a lil tweaking but we can do this later on when trunking is already formed and working.

Hi John

Thanks for helping with this

I have made FastEthernet0 into a trunk port as requested, what I was hoping to do was to have 1 vlan for the local users to get the internet via the switch and a second vlan coming off the router that could not see the local network but have access to the internet via a wifi access point.

As far as tweaking the settings on the router goes I would be extremely grateful for all the help I can get, the settings in the router are from books I bought on Amazon.

Here is the updated config

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3755051922

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3755051922

revocation-check none

rsakeypair TP-self-signed-3755051922

!

!

crypto pki certificate chain TP-self-signed-3755051922

certificate self-signed 01

  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33373535 30353139 3232301E 170D3132 30313235 31343034

  32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353530

  35313932 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C047 3D12CA6C 6E0B81FD 92AE06A9 D9F5E328 E146A0B2 4CD14AFD 29912FA4

  0993DC51 7C7DDA8D 4609CA70 972AB135 5899BA69 5CEB3D85 50C378E9 6AC3CB55

  384E7C16 B9E62F58 2C330E7D CD54BE60 5DA0F0BA F5C104F8 9CBE3EA7 68430950

  BD74B25F 8DD4DCB7 731AEE0D 8158952E 4A6D0212 44608CCA 0BBFB1F7 3744DCC5

  19350203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

  551D1104 17301582 13726F75 7465722E 73746576 656E736F 6E2E6363 301F0603

  551D2304 18301680 147442F8 2B37E214 CB46C6E5 AF7E5FA8 617A4A91 2C301D06

  03551D0E 04160414 7442F82B 37E214CB 46C6E5AF 7E5FA861 7A4A912C 300D0609

  2A864886 F70D0101 04050003 8181003F 2C96E500 C37896E2 13EC8D93 6CB3F8AB

  E9C51648 2D07D985 1D9F254B 974EF3C8 A9485CC7 A5F5F842 24BF32B1 07DB2834

  B24A923A 131CF26E 6450C34B 5089C501 F78E5164 E9F6DCA7 B68AEBFE D4E98C4C

  6A68AFA1 88686616 980DF38E AE213687 CD4685B5 A8B9DE4F F9223904 5D56423E

  B57CC9A8 211D0264 D1FA64BE F77626

      quit

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.4.1 192.168.4.20

!

ip dhcp pool local-pool

   import all

   network 192.168.4.0 255.255.255.0

   default-router 192.168.4.1

   lease 6 23 59

!

!

ip cef

ip domain name h4photo.co.uk

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username xxxxx privilege 15 password 0 xxxxxx

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

switchport trunk allowed vlan 1,100,200,1002-1005

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description Vlan1

ip address 192.168.4.1 255.255.255.224

ip mtu 1242

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

!

interface Dialer1

description adsl dialer

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1432

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxx@xxxxxxxxxx

ppp chap password 0 xxxxxxxxxxxxxxxxx

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 100 permit ip 192.168.4.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

hi robert,

does your switch supports 802.1Q trunk? if it does, try to configure it on both devices. create an SVI on the 877 and this would be the default gateway for your layer 2 switch VLANs. do note that a VLAN equals 1 subnet. create a DHCP pool on the 877 for each VLAN created.

on your switch, add layer 2 VLANs and assign each interface on that VLAN.

we could later on isolate your wired users from the wifi using an ACL once you get these working.

877:

interface FastEthernet0

switchport trunk encapsulation dot1q

interface Vlan100

description Vlan100

ip address 192.168.100.1 255.255.255.0

interface Vlan200

description Vlan200

ip address 192.168.200.1 255.255.255.0

ip dhcp pool VLAN100

import all

network 192.168.x100.0 255.255.255.0

default-router 192.168.100.1

----

switch:

vlan database

vlan 100,200

interface gigabitethernet x

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1,100,200,1002-1005

interface gigabitethernet x

switchport mode access

switchport access vlan 100

interface gigabitethernet x

switchport mode access

switchport access vlan 200

Hi John

I will have a look at this over the weekend been away from the office for most of today, the switch is a layer 3 switch I used this video to set up the vlans on the switch.

https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=MC&rID=55688352&rKey=05e1fc5fff0d05da

So I guess that once I have the second vlan set up on the router it is just a matter of allowing traffic to get to the vlans and restricting local traffic from the other vlan.

Thanks again for the help with this.

Regards Robert

Hi John

Sorry I have not got back to you in the last few weeks, my wife passed away on the 11th of Feb and its been a bit a hectic, anyway I still need to resolve this. I will have a look at where this is at tomorrow and report back.

Regards

Robert Thomsom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: