02-25-2004 03:40 AM - edited 03-02-2019 01:49 PM
was tasked to implement internet access in a hotel
due to budget constraints this can only be done with a 1721 router and 6 2900 series xl switches.
1) the router should provide ip address for all host
2) host should not be able to see each other
i am posting my config for the router and switches.
problem number
clients can not obtain ip address therfore can not surf the web
can anyone tell me what i am doing wrong?
thank you
router
ip dhcp pool 2
network 10.10.10.0 255.255.255.224
domain-name
dns-server 0.0.0.0 0.0.0.0
default-router 10.10.10.1
lease 0 0 1
!
ip dhcp pool 3
network 10.10.11.0 255.255.255.0
domain-namet
dns-server 0.0.0.0 0.0.0.0
default-router 10.10.11.1
lease 0 0 1
interface FastEthernet0.1
encapsulation dot1Q 1 native
ip address 10.10.9.1 255.255.255.224
ip nat inside
!
interface FastEthernet0.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.224
ip nat inside
interface Serial0
no ip address
ip nat outside
encapsulation frame-relay IETF
no keepalive
service-module t1 timeslots 9-24
!
interface Serial0.1 point-to-point
ip address 0.0.0.0 0.0.0.0 secondary
ip address 0.0.0.0 0.0.0.0
ip access-group 101 in
ip nat outside
frame-relay interface-dlci 16
!
no ip http server
!
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
switch one
interface FastEthernet0/19
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/20
switchport access vlan 5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/21
switchport access vlan 4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/22
switchport access vlan 3
switchport trunk encapsulation dot1q
switchport mode trunk
switch 2
interface FastEthernet0/1
port protected
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/2
port protected
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/3
port protected
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/4
port protected
switchport access vlan 2
spanning-tree portfast
!interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
Solved! Go to Solution.
02-26-2004 06:52 AM
Okay. You are on the right track but not there just yet. If you have pasted the majority of the complete configuration from the 1721, then you are missing some information.
To make this work correctly, you will need to create a VLAN/IP Subnet for every device that you want isolated. See example setup below.
12th Floor - Vlan 5 2950=======
"
11th Floor - VLAN 4 2950===== "
" "
" "
Core - 2950
|
Router - 1721
Since you want to isolate the 12th Floor and 11th Floor you need to create two DHCP Pools and two VLAN's for these Floors.
ip dhcp pool 2
network 10.10.10.0 255.255.255.0
domain-name
dns-server 0.0.0.0 0.0.0.0
default-router 10.10.10.1
lease 0 0 1
!
ip dhcp pool 3
network 10.10.11.0 255.255.255.0
domain-namet
dns-server 0.0.0.0 0.0.0.0
default-router 10.10.11.1
lease 0 0 1
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip address
!
interface FastEthernet0.4
encapsulation dot1Q 4
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0.5
encapsulation dot1Q 5
ip address 10.10.11.1 255.255.255.0
Configure all the uplinks between the switches to be 802.1q trunks. In addtion, if you are stacking switches together that have different VLAN's configured, you will need to add all the VLAN's to the VLAN Database on all switches even if there is no port configured.
Hope that helps. I am sorry if the diagram doesn't work out. It was supposed to represent your infrastructure.
02-26-2004 06:52 AM
Okay. You are on the right track but not there just yet. If you have pasted the majority of the complete configuration from the 1721, then you are missing some information.
To make this work correctly, you will need to create a VLAN/IP Subnet for every device that you want isolated. See example setup below.
12th Floor - Vlan 5 2950=======
"
11th Floor - VLAN 4 2950===== "
" "
" "
Core - 2950
|
Router - 1721
Since you want to isolate the 12th Floor and 11th Floor you need to create two DHCP Pools and two VLAN's for these Floors.
ip dhcp pool 2
network 10.10.10.0 255.255.255.0
domain-name
dns-server 0.0.0.0 0.0.0.0
default-router 10.10.10.1
lease 0 0 1
!
ip dhcp pool 3
network 10.10.11.0 255.255.255.0
domain-namet
dns-server 0.0.0.0 0.0.0.0
default-router 10.10.11.1
lease 0 0 1
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip address
!
interface FastEthernet0.4
encapsulation dot1Q 4
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0.5
encapsulation dot1Q 5
ip address 10.10.11.1 255.255.255.0
Configure all the uplinks between the switches to be 802.1q trunks. In addtion, if you are stacking switches together that have different VLAN's configured, you will need to add all the VLAN's to the VLAN Database on all switches even if there is no port configured.
Hope that helps. I am sorry if the diagram doesn't work out. It was supposed to represent your infrastructure.
02-26-2004 07:57 AM
thank you so much for your reply.
i did get this to work last night with only one
problem.
the configuration was 7 2900 xl swithes
top switch was configured with trunks ports with the 1721 and the other switches.
each switch belongs to one vlan
each switch is configured with the "port protected" command on the all ports except the trunk port (here is the poroblem) however if you ping a different subnet you get a reply.
what type of access list can i use on the router to prevent users from talking to one another on a different switch?
thanks for your help
02-26-2004 07:11 PM
You can put a standard IP access list on each subinterface that only allows traffic to external IP addresses. For example:
VLAN-2
access-list 101 deny ip 10.10.10.1 0.0.0.31 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
This would prevent hosts on VLAN 2 from being able to talk to hosts on other VLANs, assuming all other VLANs use addresses in the 10.0.0.0/8 range. If additional addresses are in use, it's equally as easy to deny them as well. All other traffic (Internet traffic) is permitted by the second line in the ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide