10-04-2007 07:48 AM - edited 03-05-2019 06:53 PM
Greeting,
In my test lab, I have one 1811, 2950 and AP 1242.
AP 1242 has two VLANs associate to 2 SSIDs. And I build the trunk port to 2950. And from 2950 I build trunk port to 1811. Both using encapulation dot1q by default. In my 1811, I have two dhcp pools for those SSIDs. I can get ip addresses from the pools once I sign in with different SSID. The problem is I cannot ping outside from my inside interface. Please help.
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1
ip dhcp excluded-address 10.10.30.1
!
ip dhcp pool internal
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool guest
network 10.10.30.0 255.255.255.0
default-router 10.10.30.1
dns-server 12.127.xx.xx 12.127.xx.xx
!
!
interface Loopback0
ip address 10.10.100.255 255.255.255.255
!
interface FastEthernet0
ip address 12.107.xxx.xxx 255.255.255.224
duplex auto
speed auto
!
interface FastEthernet1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1.1
description Internal VLAN
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
no snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet1.2
description guest vlan 30
encapsulation dot1Q 30
ip address 10.10.30.1 255.255.255.0
no snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
switchport mode trunk
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
!
interface Async1
no ip address
encapsulation slip
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
network 10.10.100.255 0.0.0.0
auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.107.yyy.yyy
ip route 10.10.10.0 255.255.255.0 12.107.yyy.yyy
ip route 10.10.10.0 255.255.255.0 FastEthernet1
!
=====
1. I can ping internet from fe0. I can ping fe0 from fe1. But I cannot ping my default gateway from fe1 or loop0. What did I miss?
2. How do I make sure vlan 30 does not talk to vlan 20 or vlan 1 but vlan 20 talks to vlan 1?
thanks for your help!!!
10-04-2007 09:37 AM
Hi
What is fa8 connected to ?. Is this the trunk connection to the switch. If so you need to connect the fa1 interface to the 2950 on that port not fa8.
Not sure why you have 3 static routes on router, you only need the default route.
Fa1 should not have an ip address on it - ie what is 10.10.10.0/24 used for, is this vlan 1 ?
To restrict access you would use acl's on the subinterfaces
access-list 101 deny ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 deny ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit ip any any
int fa1.2
ip access-group 101 in
HTH
Jon
10-04-2007 10:06 AM
Thank you very much for the reply.
10.10.10/24 vlan1
10.10.20/24 vlan 20
10.10.30/24 vlan 30
Before I did another test with trunk connection to the switch via fa8 (I shut down fa1) and enabled three vlan interface 1, 20 and 30. But still does not work. I also took out the fa1 ip address one time and still did not work.
Right now switch is connecting to fa1 via dot1q trunking port. It seems both fa0 and fa1 cannot talk to each other.
thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide