11-07-2011 10:30 AM - edited 03-04-2019 02:11 PM
Hi all,
Need to conf cisco switch 3560G that is layer 3 switch and cisco router to achive this below
i want all vlan to access an internet
vlan 7 for management that only admin access it
vlan 8 for network devices that is all 3 cisco switch and router
vlan 6 is server vlan to be able to accessed by all vlan
vlan 2,3,4,5 should NOT be able to talk to each other
pls assist by checking my conf and diagram b4 implementation
note all 3 cisco switch will have the same conf
thanks
Solved! Go to Solution.
11-07-2011 11:14 AM
Hi,
on the router:
1) no need for this command as it is only used when not routing:
ip default-gateway 123.49.42.161
So you can get rid of it:
no ip default-gateway 123.49.42.161
2)your static default route is not correct:
ip route 0.0.0.0 0.0.0.0 123.49.42.162
it should be ip route 0.0.0.0 0.0.0.0 123.49.42.161
So delete your wrong default-route and configure corect one:
no ip route 0.0.0.0 0.0.0.0 123.49.42.162
ip route 0.0.0.0 0.0.0.0 123.49.42.161
3)your nat ACL is not permitting your vlan subnets
I suppose you want these to access the internet so you must do this:
no access-list 102
access-list 102 permit 172.17.0.0 0.0.255.255 any
Then you also must define your NAT interfaces like this:
interface G0/1
ip nat inside
interface G0/0
ip nat outside
4) all your static routes are incorrect they must be
ip route 172.17.18.128 255.255.255.192 172.17.18.3
ip route 172.17.18.192 255.255.255.192 172.17.18.3
ip route 172.17.19.192 255.255.255.192 172.17.18.3
ip route 172.17.19.128 255.255.255.192 172.17.18.3
ip route 172.17.18.32 255.255.255.224 172.17.18.3
ip route 172.17.18.16 255.255.255.240 172.17.18.3
ip route 172.17.18.0 255.255.255.240 172.17.18.3
Now let's take care of the switches:
on Core Switch A
1) I wouldn't disable cdp because it is a great troubleshooting tool and you might need it at least before
you know everything is ok
2) you have vlan 5 172.17.129.128 /26 but I don't see a static route on the router for this VLAN, you should add it
3) on the router you have a static route to 172.17.18.0/28 but I don't see any SVI on the switch for it
4)Why ACL VLAN6 and 7 if you permit all but don't log anyting
5)Your ACLs are not configured correctly as were the static routes, you must use the subnet IP not the SVI IP
so
-ACL VLAN2: permit 172.17.18.32
- ACL VLAN4 : same
-ACL VLAN3: same
-ACL VLAN5: same
Regards.
Alain.
11-07-2011 12:49 PM
Hi,
When you say vlan 8 you mean the routed subnet between the switch and router? if so then it is not considered a VLAN but just a subnet configured on a switch routed port.So no need to to configure it
For management VLAN yes it must exist on every switch
Concerning the ACLs on VLAN 6 and VLAN 7 don't create ACL because the other vlans won't communicate with them anyway because of ACLs configured under respective SVIs.
Indeed like proposed above you can also use private vlan config but I've only done this once in the CCNP curriculum and never since so you'll have to wait for someone having played with it more to explain exactly the config.
Regards.
Alain
11-07-2011 11:01 AM
It's much easier and scable to use private-vlans
What problems do you have now?
11-07-2011 11:50 AM
pls give the way forwad on that private vlan as u suggest
Thx
11-07-2011 11:14 AM
Hi,
on the router:
1) no need for this command as it is only used when not routing:
ip default-gateway 123.49.42.161
So you can get rid of it:
no ip default-gateway 123.49.42.161
2)your static default route is not correct:
ip route 0.0.0.0 0.0.0.0 123.49.42.162
it should be ip route 0.0.0.0 0.0.0.0 123.49.42.161
So delete your wrong default-route and configure corect one:
no ip route 0.0.0.0 0.0.0.0 123.49.42.162
ip route 0.0.0.0 0.0.0.0 123.49.42.161
3)your nat ACL is not permitting your vlan subnets
I suppose you want these to access the internet so you must do this:
no access-list 102
access-list 102 permit 172.17.0.0 0.0.255.255 any
Then you also must define your NAT interfaces like this:
interface G0/1
ip nat inside
interface G0/0
ip nat outside
4) all your static routes are incorrect they must be
ip route 172.17.18.128 255.255.255.192 172.17.18.3
ip route 172.17.18.192 255.255.255.192 172.17.18.3
ip route 172.17.19.192 255.255.255.192 172.17.18.3
ip route 172.17.19.128 255.255.255.192 172.17.18.3
ip route 172.17.18.32 255.255.255.224 172.17.18.3
ip route 172.17.18.16 255.255.255.240 172.17.18.3
ip route 172.17.18.0 255.255.255.240 172.17.18.3
Now let's take care of the switches:
on Core Switch A
1) I wouldn't disable cdp because it is a great troubleshooting tool and you might need it at least before
you know everything is ok
2) you have vlan 5 172.17.129.128 /26 but I don't see a static route on the router for this VLAN, you should add it
3) on the router you have a static route to 172.17.18.0/28 but I don't see any SVI on the switch for it
4)Why ACL VLAN6 and 7 if you permit all but don't log anyting
5)Your ACLs are not configured correctly as were the static routes, you must use the subnet IP not the SVI IP
so
-ACL VLAN2: permit 172.17.18.32
- ACL VLAN4 : same
-ACL VLAN3: same
-ACL VLAN5: same
Regards.
Alain.
11-07-2011 12:07 PM
Allain
Thanks very much for ur quicky respond
its true i can see ,now what i wanted the most is
1. Is the command correct on the switch?take a look at each command pls,should i add vlan 7 (managenent vlan) and vlan 8 (network device vlan-that is switches and router)
//Switch-A int G0/27 is connected to Switch-C int G0/25 with fiber cable
Switch-A(config)# int G0/27
Switch-A(config-if)# switchport mode dynamic desirable
Switch-A(config-if)# switchport mode trunk
Switch-A(config-if)# switchport trunk encapsulation dot1q
Switch-A(config-if)# switchport trunk allowed vlan remove 1-4096
Switch-A(config-if)# switchport trunk allowed vlan add 2,3,4,5,6,7
2.Vlan 8 is network device vlan,do i suppose to create it on switches?
3.What do u suggest on vlan 6,7,8....to me i wanted vlan 6 to reach all other vlan that is vlan 2,3,4,5
4.what is the best practise on this pls
thanks,
Joseph
11-07-2011 12:49 PM
Hi,
When you say vlan 8 you mean the routed subnet between the switch and router? if so then it is not considered a VLAN but just a subnet configured on a switch routed port.So no need to to configure it
For management VLAN yes it must exist on every switch
Concerning the ACLs on VLAN 6 and VLAN 7 don't create ACL because the other vlans won't communicate with them anyway because of ACLs configured under respective SVIs.
Indeed like proposed above you can also use private vlan config but I've only done this once in the CCNP curriculum and never since so you'll have to wait for someone having played with it more to explain exactly the config.
Regards.
Alain
11-09-2011 02:36 AM
Thanks Alain,
All work well regarding ur guidance,
But now all vlan can see each other ,and i would like only vlan 6 to be reached by all other vlan and vlan 2,3,4,5 NOT to see each other.how to do that pls ?
Can u tell me what to do on switch?so that all vlan can share samba file ip of samba 172.17.18.36,right now samba is not accessible?
11-09-2011 03:11 AM
Hi,
Post your new config.
Regards.
Alain
11-09-2011 04:35 AM
Alain,
Switch A -configures as layer 3 switch and has vtp server
switch B and C configured as layer 2 and its all vtp client
all vlan can now browse internet clearly but i wanted
1.vlan 2,3,4,5,6,7 NOT to see each other But vlan 10 can reach all vlan as its management vlan and vlan 8 can be reached by all vlan as its server vlan and vlan 8 can reach all vlan
2.My samba file which belong to server vlan ,can be pinged from all vlan BUT can now be accessed ,i mean their file from samba can not explored
cisco switch conf
cisco-switchA#
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description connection to ASA
no switchport
ip address 172.17.18.3 255.255.255.240
!
interface GigabitEthernet0/2
description management vlan
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/3
description management vlan
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/4
description management vlan
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/5
description management vlan
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/6
description management vlan
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/7
description MIS&security
switchport access vlan 6
switchport mode access
!
interface GigabitEthernet0/8
description MIS&security
switchport access vlan 6
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 6
switchport trunk encapsulation dot1q
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/21
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/22
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/23
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/24
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/25
description connection PMU
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/26
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/27
description connection MJENGONI
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description 5th and 4th floor
ip address 172.17.18.129 255.255.255.192
!
interface Vlan3
description 3th floor
ip address 172.17.18.193 255.255.255.192
!
interface Vlan4
description 2nd floor
ip address 172.17.19.1 255.255.255.192
!
interface Vlan5
ip address 172.17.19.65 255.255.255.192
!
interface Vlan6
description MIS and SECURITY
ip address 172.17.19.129 255.255.255.192
ip helper-address 172.17.18.36
!
interface Vlan7
description PMU
ip address 172.17.19.193 255.255.255.192
!
interface Vlan8
description server vlan
ip address 172.17.18.33 255.255.255.224
!
interface Vlan10
description management vlan
ip address 172.17.18.17 255.255.255.240
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.18.1
ip http server
!
ip access-list extended vlan2
permit ip any 0.0.0.0 255.255.255.224
deny ip any any
ip access-list extended vlan3
permit ip any 0.0.0.0 255.255.255.224
deny ip any any
ip access-list extended vlan4
permit ip any 0.0.0.0 255.255.255.224
deny ip any any
ip access-list extended vlan5
permit ip any 0.0.0.0 255.255.255.224
deny ip any any
ip access-list extended vlan6
permit ip any 0.0.0.0 255.255.255.224
deny ip any any
ip access-list extended vlan7
permit ip any 0.0.0.0 255.255.255.224
deny ip any any
!
no cdp run
snmp-server community test123 RO
snmp-server location TEST HQ
snmp-server enable traps snmp authentication linkdo
snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply
snmp-server enable traps mac-notification
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps rtr
snmp-server enable traps bridge newroot topologycha
snmp-server enable traps stpx inconsistency root-in
y
snmp-server enable traps syslog
snmp-server enable traps vlan-membership
!
control-plane
!
banner motd ^CThis is an official computer system a
ANIZATION. It is for authorized users only. Unautho
sers (authorized or unauthorized) have no explicit
ivacy. Any or
^C
!
line con 0
line vty 0 4
password 7 071F224F4C765455687898990
login
line vty 5 15
login
!
end
cisco-switchB#
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/2
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/3
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/4
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/5
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/6
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/7
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/8
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/9
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/10
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/11
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/12
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/13
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/14
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/15
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/16
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/17
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/18
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/19
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/20
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/21
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/22
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/23
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/24
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
description connection mis switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-8,10
switchport mode trunk
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan2
description 5th and 4th floor
no ip address
no ip route-cache
!
interface Vlan3
description 3th floor
no ip address
no ip route-cache
!
interface Vlan4
description 2nd floor
no ip address
no ip route-cache
!
interface Vlan5
description 1st floor
no ip address
no ip route-cache
!
interface Vlan6
description mis
no ip address
no ip route-cache
!
interface Vlan7
description pmu
no ip address
no ip route-cache
!
interface Vlan8
description server farm
no ip address
no ip route-cache
!
interface Vlan10
description management vlan
ip address 172.17.18.18 255.255.255.240
no ip route-cache
!
ip default-gateway 172.17.18.17
ip classless
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password 7 120906141666666666666778778
login
line vty 5 15
login
!
end
cisco-switchc#
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/2
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/3
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/4
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/5
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/6
description 4th and 5th
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/7
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/8
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/9
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/10
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/11
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/12
description 3rd floor
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/13
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/14
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/15
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/16
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/17
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/18
description 2nd floor
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/19
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/20
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/21
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/22
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/23
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/24
description 1st floor
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
description connection mis switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-8,10
switchport mode trunk
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan2
description 5th and 4th floor
no ip address
no ip route-cache
!
interface Vlan3
description 3th floor
no ip address
no ip route-cache
!
interface Vlan4
description 2nd floor
no ip address
no ip route-cache
!
interface Vlan5
description 1st floor
no ip address
no ip route-cache
!
interface Vlan6
description mis
no ip address
no ip route-cache
!
interface Vlan7
description pmu
no ip address
no ip route-cache
!
interface Vlan8
description server farm
no ip address
no ip route-cache
!
interface Vlan10
description management vlan
ip address 172.17.18.19 255.255.255.240
no ip route-cache
!
ip default-gateway 172.17.18.17
ip classless
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password 7 120906141666666666666778778
login
line vty 5 15
login
!
end
11-09-2011 05:42 AM
Hi,
i would like only vlan 6 to be reached by all other vlan and vlan 2,3,4,5 NOT to see each other.how to do that pls ?
Try below...
interface Vlan6
description MIS and SECURITY
ip address 172.17.19.129 255.255.255.192
ip helper-address 172.17.18.36
ip access-group vlan6
interface Vlan2
description 5th and 4th floor
ip address 172.17.18.129 255.255.255.192
interface Vlan3
description 3th floor
ip address 172.17.18.193 255.255.255.192
interface Vlan4
description 2nd floor
ip address 172.17.19.1 255.255.255.192
interface Vlan5
ip address 172.17.19.65 255.255.255.192
ip access-list extended vlan2
permit ip any any
deny ip 172.17.18.0 0.0.0.255
ip access-list extended vlan2
permit ip any any
deny ip 172.17.18.0 0.0.0.255
ip access-list extended vlan4
permit ip any any
deny ip 172.17.18.0 0.0.0.255
ip access-list extended vlan5
permit ip any any
deny ip 172.17.18.0 0.0.0.255
ip access-list extended vlan6
permit ip any any
Please rate the helpfull posts.
Regards,
Naidu.
11-09-2011 07:08 AM
Naidu
Pls put comment on each permit and deny so i can get to know what will happen?on vlan 6 by putting
ip access-group vlan6,it just rejecting that command...what will happen to vlan 4 by deny ip
172.17.18.0 0.0.0.255,u mean vlan 4 will also communicate with all vlan since it has 172.17.19.0?
ip access-list extended vlan2
permit ip any any
deny ip 172.17.18.0 0.0.0.255
ip access-list extended vlan2
permit ip any any
deny ip 172.17.18.0 0.0.0.255
ip access-list extended vlan4
permit ip any any
deny ip 172.17.18.0 0.0.0.255
ip access-list extended vlan5
permit ip any any
deny ip 172.17.18.0 0.0.0.255
ip access-list extended vlan6
permit ip any any
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: