How do I set up 2 vlans on a Cisco 891

jsandau · ‎07-09-2012

Here is the senerio. Site A will have the ip address of 192.168.1.x subnet mask 255.255.255.0 and will need to commmunicate with Site B (ip address 192.168.100.x subnet mask 255.255.255.0). Neither site needs internet access, so I don't have a default gateway. I have a cisco 891 with the ip address of 192.168.1.254. I don't have anything set up on the cisco right now (no running config). Is this possible to set up?

Thanks,

Edison Ortiz · ‎07-10-2012

Yes, but you need routing enable at both branches pointing to their respective remote subnets.

jsandau · ‎07-10-2012

Ok, how would I do that?

Edison Ortiz · ‎07-10-2012

Site A- ip route 192.168.100.0 255.255.255.0 [local gateway]

Site B- ip route 192.168.1.0 255.255.255.0 [local gateway]

Is this some kind of test? If you are dealing with production network, I highly suggest getting hired help!

jsandau · ‎07-10-2012

This is just in a test environment to see if it is plausable. I'd assume that the local gateway would be the ip address of the router (192.168.1.254) right?

Edison Ortiz · ‎07-10-2012

and 100.x for the other router - correct.

jsandau · ‎07-11-2012

I entered the ip address of the router fo the gateway, but I got an error basically saying that the next hop cannot be the router ip address. This was the commands I entered:

ip route 192.168.100.0 255.255.255.0 192.168.1.254

ip rout 192.168.1.0 255.255.255.0 192.168.100.254

Edison Ortiz · ‎07-11-2012

How many routers do you have? I'm assuming you have a router on Site A and another router on Site B.

This command should go into the router on Site A

ip route 192.168.100.0 255.255.255.0 192.168.1.254

And this command should go into the router on Site B

ip rout 192.168.1.0 255.255.255.0 192.168.100.254

jsandau · ‎07-11-2012

No I only have one router with two seperate vlans created on it.

Edison Ortiz · ‎07-11-2012

Then you don't need static routing.

You configure the workstation with the default gateway pointing to the router IP address within the same subnet and you should be able to ping between subnets.

jsandau · ‎07-11-2012

I did that, but when I try to ping across the Vlans I get a destination host unreachable error. There are no firewalls on the computers. Here is the runnifn config:

Building configuration...

Current configuration : 6951 bytes

!

! Last configuration change at 09:42:57 PCTime Wed Jul 11 2012 by User

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$MGyU$tihjUxLtv6emv3HPwm/cF.

!

no aaa new-model

!

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1261487516

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1261487516

revocation-check none

rsakeypair TP-self-signed-1261487516

!

crypto pki certificate chain TP-self-signed-1261487516

certificate self-signed 01

3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31323631 34383735 3136301E 170D3132 30373039 31353337

34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32363134

38373531 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

81009BC5 77267AD8 D9C89362 94F4F968 351E5B1D 1BF108E5 64E7AECF 7615606D

9ACDFDCD 8EA4E199 5B0E7464 244DDCAF ABF21BE8 4E882A91 890D154C B73E4641

5A3067F1 33B6EE75 F1C468B2 FB81490E 2CBAA0C6 2C7B5321 B3E5AF2B 95CF8845

2D4C97DF 34BAE56C 073E82BE 7639D502 D7270B67 A1A79010 FEBF04B4 CC429ECE

87DB0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

301F0603 551D2304 18301680 14111A2F F2A860AA 23CA34AE 2E2A8E82 AD61A6C4

09301D06 03551D0E 04160414 111A2FF2 A860AA23 CA34AE2E 2A8E82AD 61A6C409

300D0609 2A864886 F70D0101 04050003 8181004E FA10CEAB 27F69D5F 98621B01

5F234F3D 7E8A9ACE 25387F5D 41B345F0 62E3D166 24348EDD 6DA9DA71 FE36C828

EE6B6D7B 29184CF5 0D4261B2 D362887C 534EA588 BFA7245D 67EC96C9 8F992473

A31BCF67 D583D3C8 11DCB93F C92D5218 7AB917CA 9BAFC8FD 7639BEE8 7ACD9BE4

A151D857 50F5A5F3 1552D53D CD883395 92F333

quit

no ip source-route

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO891-K9 sn FGL16082051

!

username User privilege 15 secret 5 $1$872L$usBjgP2KGGnEv48KleE1h0

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

switchport access vlan 2

!

interface FastEthernet5

switchport access vlan 2

!

interface FastEthernet6

switchport access vlan 2

!

interface FastEthernet7

switchport access vlan 2

!

interface FastEthernet8

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

!

interface GigabitEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.254 255.255.255.0

ip access-group AENV_IN in

ip access-group AENV_OUT out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 192.168.100.254 255.255.255.0

ip access-group BTAP_IN in

ip access-group BTAP_OUT out

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip access-list extended AENV_IN

remark Allow Inbound IP From BTAP To AENV Or AENV To AENV

remark CCP_ACL Category=1

remark Only Allow Established Inbound TCP From BTAP

permit tcp 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 established

remark Allow All Inbound IP Traffic from AENV

permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

permit icmp any any administratively-prohibited

ip access-list extended AENV_OUT

remark Allow Outbound IP From AENV To BTAP or AENV To AENV

remark CCP_ACL Category=1

remark Allow Outbound IP Traffic From AENV To BTAP

permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

remark Allow Outbound IP Traffic From AENV To AENV

permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

permit icmp any any administratively-prohibited

ip access-list extended BTAP_IN

remark Allow Inbound IP From AENV To BTAP Or BTAP To BTAP

remark CCP_ACL Category=1

permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 192.168.100.0 0.0.0.255

permit icmp any any administratively-prohibited

ip access-list extended BTAP_OUT

remark Allow Outbound IP From BTAP To AENV or BTAP To BTAP

remark CCP_ACL Category=1

remark Allow Inbound IP From BTAP To AENV

permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

remark Allow Outbound IP Traffice From BTAP To BTAP

permit ip 192.168.100.0 0.0.0.255 192.168.100.0 0.0.0.255

permit icmp any any administratively-prohibited

!

logging trap debugging

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Edison Ortiz · ‎07-11-2012

Remove the following:

interface Vlan1

no ip access-group AENV_IN in

no ip access-group AENV_OUT out

no ip nat inside

!

interface Vlan2

no ip access-group BTAP_IN in

no ip access-group BTAP_OUT out

no ip nat inside