Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

One Router Single Switch Multiple VLan

Hi Team,

We have one ISR2951 with LAN: 192.168.1.1 (dhcp server enable - 192.168.1.10 - 192.168.1.250)

And Cisco SG300 switch with

VLAN1 (default) 192.168.1.254

VLAN10 192.168.10.254

VLAN20 192.168.20.254

VLAN30 192.168.30.254

i made it in such a way that Port 1 is the trunk port 

and i tagged VLAN10,20and 30 to it.

Intervlan routing is happening meaning i can ping any machine connected to any of the vlan from the router and vice versa and also between VLANs

But only when i'm on VLAN1 i'm getting internet ..

and when i do dhcp relay on VLAN10,20 and 30 i'm not getting any ip from the router

i even try to enable ip helper on vlan10,20 and 30 but it says wrong ip address

and i create ip route for VLAN10,20 and 30 on the router

will it be possible for the router dhcp to relay dhcp to all the VLANs at the same time ...and get internet..

Physical connection is this way: 

Router LAN port connected to Switch trunk port 1 (VLAN1) and VLAN10,20,30 are tagged to VLAN1 and i want the router to relay dhcp on VLAN 10,20 n 30 also all the devices connected to the VLANs should get internet ....from the router...

Will this possible or i need additional ports on the router for VLAN10,20 and 30... pliz help

 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

And along with that you have

And along with that you have to consider below points as well 

 

1.  the trunk on the switch port which is hooked to router and allow all the Vlans i.e. 10,20,30

2. enabling Ip helper address command on the each sub interface

3. You should add remaining subnets in to local access-list i.e.

permit ip 192.168.10.0  0.0.0.255 any

permit ip 192.168.20.0  0.0.0.255 any

permit ip 192.168.30.0  0.0.0.255 any

4. And for got mention you have to enable the ip nat inside command on each subinterface

 

 

 

 

Cisco Employee

First, is there a legitimate

First, is there a legitimate reason you need to have each AP on a different VLAN?  The common practice is to have a separate VLAN for wireless traffic and to put all of the APs on that VLAN.  Large organizations with many wireless users may use multiple wireless VLANs, of course.  You can also create multiple wireless VLANs to segregate traffic, such as having a public VLAN for guests and a second VLAN for dedicated employees.  With Cisco APs, the VLAN is associated with the SSID and you broadcast multiple SSIDs for different purposes, with authentication configured to limit who can access the restricted SSIDs.  Take a look at your requirements and consider whether having each AP in a different subnet is required to meet your purposes, or whether you can meet those needs in a different manner, such as having multiple SSIDs.

As for roaming, are you using lightweight APs with a WLAN controller or autonomous APs?  If you're using LAPs with a WLC, you can allow roaming between subnets.  Essentially, when the wireless client hops to a new LAP in a different subnet, it retains its original IP and the traffic is tunneled to the original WLC if necessary and placed in the correct VLAN for that subnet.  I don't believe seamless layer 3 roaming is possible between autonomous APs in different subnets but wireless isn't my specialty, so don't take that as gospel.

20 REPLIES

"will it be possible for the

"will it be possible for the router dhcp to relay dhcp to all the VLANs at the same time ...and get internet.."

Yes. Can you post your config?

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Router config: !       

Router config:

 

!         

interface GigabitEthernet0/0

 ip address 115.111.5.34 255.255.255.224

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 !        

!         

interface GigabitEthernet0/1

 ip address 192.168.1.1 255.255.255.0

 ip helper-address 192.168.3.254

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

 !        

!         

interface GigabitEthernet0/2

 no ip address

 shutdown 

 !        

!         

ip default-gateway 192.168.1.1

ip forward-protocol nd

no ip http server

ip http authentication local

no ip http secure-server

!         

!         

ip nat inside source list local interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 115.111.5.33

ip route 192.168.1.0 255.255.255.0 192.168.10.254

ip route 192.168.1.0 255.255.255.0 192.168.20.254

ip route 192.168.1.0 255.255.255.0 192.168.30.254

ip route 192.168.10.0 255.255.255.0 192.168.1.254

ip route 192.168.10.0 255.255.255.0 192.168.20.254

ip route 192.168.10.0 255.255.255.0 192.168.30.254

ip route 192.168.20.0 255.255.255.0 192.168.1.254

ip route 192.168.20.0 255.255.255.0 192.168.30.254

ip route 192.168.20.0 255.255.255.0 192.168.10.254

ip route 192.168.30.0 255.255.255.0 192.168.1.254

ip route 192.168.30.0 255.255.255.0 192.168.20.254

ip route 192.168.30.0 255.255.255.0 192.168.10.254

!         

ip access-list extended local

 permit ip 192.168.1.0 0.0.0.255 any

 

 

 

New Member

my switch config: sh

my switch config:

 

sh run

config-file-header

switchc07ce5

v1.4.0.88 / R800_NIK_1_4_194_194

CLI v1.0

set system mode router 

 

file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

port jumbo-frame

vlan database

vlan 10,20,30

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

bonjour interface range vlan 1                        

hostname switchc07ce5                                 

no passwords complexity enable

username cisco password encrypted 1925528a0e57fde994284bd9d51d23d237dc28a1 privilege 15

ip ssh server

no ip http server

!

interface vlan 1

 ip address 192.168.1.254 255.255.255.0

 no ip address dhcp

!

interface vlan 10ort mode accesst mode access mode accessss

RL+Z, One line: <return> +Z, One line: <return> Z, One line: <return>  One line: <return> ne line: <return> e lineterface gigabitethernet22rface gigabitethernet22face gigabitethernet22ce gigabitethernet22 gigabitethernet22gigabitethernet22

 switchport mode accessode accesse access access23

switchport mode accesshport mode accesset25t25essstchport mode accesshport mode accessport mode accessrt mode access mode accessmode accessce gigabitethernet27 gigabitethernet27gigabitethernet27itchport mode accesschport mode accesshport mode accessort mode accesst mode access mode accessace gigabitethernet28e gigabitethernet28 gigabitethernet28witchport mode accesstchport mode accesschport mode accessport mode accessrt mode accesst mode access

 switchport mode access

!

CTRL+Z, One line: <return> TRL+Z, One line: <return> 

 switchport mode access

!

interface gigabitethernet6

 switchport mode access

!

interface gigabitethernet7

 switchport trunk allowed vlan add 10

!

interface gigabitethernet8

 switchport mode access                               

 switchport access vlan 10

!   

interface gigabitethernet9

 switchport trunk allowed vlan add 20

!

interface gigabitethernet10

 switchport mode access

 switchport access vlan 20

!

interface gigabitethernet11

 switchport trunk allowed vlan add 30

!

interface gigabitethernet12

 switchport mode access

 switchport access vlan 30

!

interface gigabitethernet13

 switchport mode access

!

interface gigabitethernet14

 switchport mode access

!                                                     

interface gigabitethernet15

 switchport mode access   

!

interface gigabitethernet16

 switchport mode access

!

interface gigabitethernet17

 switchport mode access

!

interface gigabitethernet18

 switchport mode access

!

interface gigabitethernet19

 switchport mode access

!

interface gigabitethernet20

 switchport mode access

!

interface gigabitethernet21

 switchport mode access

!

interface gigabitethernet22                           

 switchport mode access

!

interface gigabitethernet23

 switchport mode access

!   

interface gigabitethernet24

 switchport mode access    

!

interface gigabitethernet25

 switchport mode access

!

interface gigabitethernet26

 switchport mode access     

!

interface gigabitethernet27

      switchport mode access        

!

interface gigabitethernet28    

 switchport mode access

!

exit 

ip helper-address all 192.168.1.1 37 42 49 53 137 138 

ip default-gateway 192.168.1.1

interface GigabitEthernet0/1

interface GigabitEthernet0/1

 ip address 192.168.1.1 255.255.255.0

 ip helper-address 192.168.3.254

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

 

Is your helper address supposed to be 192.168.30.254? I don't see a route for 192.168.3.x on the router, so it's going to try to send that traffic out of the wan interface which will fail. And like Rick said, you don't have anything configured for vlans on the router unless you didn't post that config. You'll have to have subinterfaces encapsulated for the appropriate vlan:

 

int g0/1.10

encapsulation dot1q 10

ip address 192.168.10.1 255.255.255.0

int g0/1.20

encapsulation dot1q 20

etc...

 

You can't route between vlans without something doing the routing for you. The switch can have the vlans on them, but you'd only be able to talk between hosts in the same vlan. To route between, you'll need to configure the above on your router.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

And along with that you have

And along with that you have to consider below points as well 

 

1.  the trunk on the switch port which is hooked to router and allow all the Vlans i.e. 10,20,30

2. enabling Ip helper address command on the each sub interface

3. You should add remaining subnets in to local access-list i.e.

permit ip 192.168.10.0  0.0.0.255 any

permit ip 192.168.20.0  0.0.0.255 any

permit ip 192.168.30.0  0.0.0.255 any

4. And for got mention you have to enable the ip nat inside command on each subinterface

 

 

 

 

New Member

Re: And along with that you have

Very helpful ,  ip nat inside     worked for me, on fa0/1.2

Hall of Fame Super Gold

Other than some route

Other than some route statements I do not see anything in the router config that relates to vlans 10, 20, and 30. And the only address translation configured is for 192.168.1.0. Both of these things impact the ability of the other vlans to get to the Internet.

 

HTH

 

Rick

New Member

what does your topology looks

what does your topology looks like?

New Member

Thank you guys.... the switch

Thank you guys.... the switch is on L3 Mode and VLAN1,10,20 and 30 are same member so i'm able to ping between VLAN1,10,20,30 and also able to ping the default router ip which 192.168.1.1

And what we require is something like this ... the router will act as the DHCP server for all the VLAN and when any device connected to any of the VLAN when need internet the router will do the routing and for communication between VLAN to VLAN it will happen on the switch level...

is this possible ...?

 

 

Hall of Fame Super Gold

If the switch is operating as

If the switch is operating as a layer 3 switch and doing the intervlan routing then this explains a lot about the issue. And the biggest problem is that you have not configured any address translation for the other networks. You need to add those other networks to your address translation if they are to get out to the Internet.

 

I also believe that there are issues with some of the static routes that you configured.

ip route 192.168.1.0 255.255.255.0 192.168.10.254

ip route 192.168.1.0 255.255.255.0 192.168.20.254

ip route 192.168.1.0 255.255.255.0 192.168.30.254

what are these routes trying to do? Why would you try to route your locally connected subnet to the remote networks?

ip route 192.168.10.0 255.255.255.0 192.168.20.254

ip route 192.168.10.0 255.255.255.0 192.168.30.254

And why would you try to route the remote networks to the other remote networks? That routing is being done on the layer 3 switch.

 

HTH

 

Rick

New Member

Hi Rick ... Thank you...VLAN

Hi Rick ... Thank you...

VLAN 1 interface is 192.168.1.254

VLAN10 = 192.168.10.254

VLAN20 = 192.168.20.254

VLAN30 = 192.168.20.254

ip route 192.168.1.0 255.255.255.0 192.168.10.254

ip route 192.168.1.0 255.255.255.0 192.168.20.254

ip route 192.168.1.0 255.255.255.0 192.168.30.254

ip route 192.168.10.0 255.255.255.0 192.168.1.254

ip route 192.168.20.0 255.255.255.0 192.168.1.254

 

ip route 192.168.30.0 255.255.255.0 192.168.1.254

if i don't enable this on the router i'm unable to ping the router LAN ip 192.168.1.1 from the VLANs 10,20 and 30 so i add the above route to the router running-config

now i'm able to get dhcp from the router but not internet... can u pliz help me again ...

 

 

Hall of Fame Super Gold

I can see the purpose for

I can see the purpose for these 3 static routes

ip route 192.168.10.0 255.255.255.0 192.168.1.254

ip route 192.168.20.0 255.255.255.0 192.168.1.254

ip route 192.168.30.0 255.255.255.0 192.168.1.254

but the other static routes do not make sense to me. If you believe that they are valid then please explain what purpose they serve in the configuration.

 

I have already pointed out twice that you have not configured any address translation for the addresses in vlan 10, 20, and 30. Without address translation these users can not access the Internet. So now for the third time I am telling you that your problem is the lack of address translation for those vlans.

 

HTH

 

Rick

 

New Member

Thank you Rick for all the

Thank you Rick for all the help.... now i get DHCP from the router and get internet to all the VLANs... :-)

One more doubt though:

how can i make the router to give out DHCP Scope : 192.168.1.0 to all the VLANs irrespective of the VLAN interface ip....

Thank you again for your help...

Cisco Employee

Generally speaking, you can't

Generally speaking, you can't.  The whole point of VLANs is to segregate traffic.  Each VLAN has its own subnet.  When the router receives a packet for routing, it looks at the destination IP.  It figures out which subnet that IP belongs to and sends the packet to the next hop for that subnet.  So if the router receives a packet for 192.168.10.15, for example, it sees that the packet is being sent to an ip in subnet 192.168.10.0/24, checks the routing table and sees that the next hop for that subnet is 192.168.10.1 and forwards the packet to that IP for processing.  If the IP is destined for 192.168.1.15 and you had that subnet spread throughout the VLANs, how would the router know which SVI to send the packet to?  Furthermore, if the router somehow forwarded the packet to the SVI, it would look at it, say "This isn't in my subnet, so I can't deal with it.  I'll just send it back to the router."

 

If you want everyone in a common subnet, then just put everyone in the same VLAN and simplify your configuration.  If for some reason you need to restrict yourself to the 192.168.1 range and want to segregate traffic, you can subnet the class C range, say into four /26 subnets.  If there's some real need to segregate traffic and maintain a single common subnet, you can look into private VLANs but that's a bit more complex topic.

New Member

Thank you danjone3 ..  the

Thank you danjone3 ..  the reason i ask is mainly due to ip roaming ...

We have 4 access point and i want each access point to have their own VLAN ... but when we put it that way .... wifi user when they roam from one AP to other their connection is reset as they move to different VLAN .... if it is possible for router to give out a single scope of dhcp to multiple VLAN i'm thinking may be user won't get disconnect 

We do have Ip roaming option on our Access point not sure if that option will fix the issue though...

Cisco Employee

First, is there a legitimate

First, is there a legitimate reason you need to have each AP on a different VLAN?  The common practice is to have a separate VLAN for wireless traffic and to put all of the APs on that VLAN.  Large organizations with many wireless users may use multiple wireless VLANs, of course.  You can also create multiple wireless VLANs to segregate traffic, such as having a public VLAN for guests and a second VLAN for dedicated employees.  With Cisco APs, the VLAN is associated with the SSID and you broadcast multiple SSIDs for different purposes, with authentication configured to limit who can access the restricted SSIDs.  Take a look at your requirements and consider whether having each AP in a different subnet is required to meet your purposes, or whether you can meet those needs in a different manner, such as having multiple SSIDs.

As for roaming, are you using lightweight APs with a WLAN controller or autonomous APs?  If you're using LAPs with a WLC, you can allow roaming between subnets.  Essentially, when the wireless client hops to a new LAP in a different subnet, it retains its original IP and the traffic is tunneled to the original WLC if necessary and placed in the correct VLAN for that subnet.  I don't believe seamless layer 3 roaming is possible between autonomous APs in different subnets but wireless isn't my specialty, so don't take that as gospel.

New Member

For now i believe associating

For now i believe associating VLAN with the SSID should work...

i did ran through cisco ip mobility doc..... 

Hall of Fame Super Gold

Thanks for the update. I am

Thanks for the update. I am glad to hear that you are getting DHCP from the router and Internet for all the VLANs. As Danjone3 has explained you can not use the same DHCP scope for different VLANs. Each VLAN requires its own unique scope.

 

Depending on what your requirements are it could work well with the 4 networks that you appear to have configured. Or as Danjone3 has suggested if your requirements are to have everything in network 192.168.1.0 then it would be possible to subnet that network into 4 subnets and make each scope to be one of the subnets.

 

HTH

 

Rick

Cisco Employee

Your router config is

Your router config is abbreviated, so I can't see exactly what you're trying to do, but based on your description you have a single DHCP scope for 192.168.1.0/24 and you're trying to put hosts using that single subnet into different VLANs where the SVI's have IP addresses assigned from  different subnets.  Am I reading your post correctly?

New Member

Danjone assigning the 192.168

Danjone assigning the 192.168.1.0 address to all the VLANs is what a plan initially but i can't seem to make it work so i created a dhcp pool for VLAN10 (192.168.10.0) VLAN20 (192.168.20.0) and VLAN30 (192.168.30.0) on the router....

2657
Views
5
Helpful
20
Replies
CreatePlease to create content