Solved: Re: hotel vlan configuration and routing

jcajuste · ‎02-25-2004

was tasked to implement internet access in a hotel

due to budget constraints this can only be done with a 1721 router and 6 2900 series xl switches.

1) the router should provide ip address for all host

2) host should not be able to see each other

i am posting my config for the router and switches.

problem number

clients can not obtain ip address therfore can not surf the web

can anyone tell me what i am doing wrong?

thank you

router

ip dhcp pool 2

network 10.10.10.0 255.255.255.224

domain-name

dns-server 0.0.0.0 0.0.0.0

default-router 10.10.10.1

lease 0 0 1

!

ip dhcp pool 3

network 10.10.11.0 255.255.255.0

domain-namet

dns-server 0.0.0.0 0.0.0.0

default-router 10.10.11.1

lease 0 0 1

interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 10.10.9.1 255.255.255.224

ip nat inside

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 10.10.10.1 255.255.255.224

ip nat inside

interface Serial0

no ip address

ip nat outside

encapsulation frame-relay IETF

no keepalive

service-module t1 timeslots 9-24

!

interface Serial0.1 point-to-point

ip address 0.0.0.0 0.0.0.0 secondary

ip address 0.0.0.0 0.0.0.0

ip access-group 101 in

ip nat outside

frame-relay interface-dlci 16

!

no ip http server

!

access-list 100 permit ip 10.10.0.0 0.0.255.255 any

switch one

interface FastEthernet0/19

switchport access vlan 6

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/20

switchport access vlan 5

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/21

switchport access vlan 4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/22

switchport access vlan 3

switchport trunk encapsulation dot1q

switchport mode trunk

switch 2

interface FastEthernet0/1

port protected

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet0/2

port protected

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet0/3

port protected

switchport access vlan 3

spanning-tree portfast

!

interface FastEthernet0/4

port protected

switchport access vlan 2

spanning-tree portfast

!interface FastEthernet0/24

switchport trunk encapsulation dot1q

switchport mode trunk

don.orlik · ‎02-26-2004

Okay. You are on the right track but not there just yet. If you have pasted the majority of the complete configuration from the 1721, then you are missing some information.

To make this work correctly, you will need to create a VLAN/IP Subnet for every device that you want isolated. See example setup below.

12th Floor - Vlan 5 2950=======

"

11th Floor - VLAN 4 2950===== "

" "

Core - 2950

|

Router - 1721

Since you want to isolate the 12th Floor and 11th Floor you need to create two DHCP Pools and two VLAN's for these Floors.

ip dhcp pool 2

network 10.10.10.0 255.255.255.0

domain-name

dns-server 0.0.0.0 0.0.0.0

default-router 10.10.10.1

lease 0 0 1

!

ip dhcp pool 3

network 10.10.11.0 255.255.255.0

domain-namet

dns-server 0.0.0.0 0.0.0.0

default-router 10.10.11.1

lease 0 0 1

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip address

!

interface FastEthernet0.4

encapsulation dot1Q 4

ip address 10.10.10.1 255.255.255.0

!

interface FastEthernet0.5

encapsulation dot1Q 5

ip address 10.10.11.1 255.255.255.0

Configure all the uplinks between the switches to be 802.1q trunks. In addtion, if you are stacking switches together that have different VLAN's configured, you will need to add all the VLAN's to the VLAN Database on all switches even if there is no port configured.

Hope that helps. I am sorry if the diagram doesn't work out. It was supposed to represent your infrastructure.

View solution in original post

don.orlik · ‎02-26-2004

Okay. You are on the right track but not there just yet. If you have pasted the majority of the complete configuration from the 1721, then you are missing some information.

To make this work correctly, you will need to create a VLAN/IP Subnet for every device that you want isolated. See example setup below.

12th Floor - Vlan 5 2950=======

"

11th Floor - VLAN 4 2950===== "

" "

Core - 2950

|

Router - 1721

Since you want to isolate the 12th Floor and 11th Floor you need to create two DHCP Pools and two VLAN's for these Floors.

ip dhcp pool 2

network 10.10.10.0 255.255.255.0

domain-name

dns-server 0.0.0.0 0.0.0.0

default-router 10.10.10.1

lease 0 0 1

!

ip dhcp pool 3

network 10.10.11.0 255.255.255.0

domain-namet

dns-server 0.0.0.0 0.0.0.0

default-router 10.10.11.1

lease 0 0 1

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip address

!

interface FastEthernet0.4

encapsulation dot1Q 4

ip address 10.10.10.1 255.255.255.0

!

interface FastEthernet0.5

encapsulation dot1Q 5

ip address 10.10.11.1 255.255.255.0

Configure all the uplinks between the switches to be 802.1q trunks. In addtion, if you are stacking switches together that have different VLAN's configured, you will need to add all the VLAN's to the VLAN Database on all switches even if there is no port configured.

Hope that helps. I am sorry if the diagram doesn't work out. It was supposed to represent your infrastructure.

jcajuste · ‎02-26-2004

thank you so much for your reply.

i did get this to work last night with only one

problem.

the configuration was 7 2900 xl swithes

top switch was configured with trunks ports with the 1721 and the other switches.

each switch belongs to one vlan

each switch is configured with the "port protected" command on the all ports except the trunk port (here is the poroblem) however if you ping a different subnet you get a reply.

what type of access list can i use on the router to prevent users from talking to one another on a different switch?

thanks for your help

tbaranski · ‎02-26-2004

You can put a standard IP access list on each subinterface that only allows traffic to external IP addresses. For example:

VLAN-2

access-list 101 deny ip 10.10.10.1 0.0.0.31 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

This would prevent hosts on VLAN 2 from being able to talk to hosts on other VLANs, assuming all other VLANs use addresses in the 10.0.0.0/8 range. If additional addresses are in use, it's equally as easy to deny them as well. All other traffic (Internet traffic) is permitted by the second line in the ACL.