There's a mobile version of our website.
Hope you can help, have been asked to look into setting up some vlans and could do with some basic information/assistance.
Initally we would like to vlan one office (more to come later). we have a cisco 2800 router which we can use for controlling our vlans.
Our set up is like this :
cisco 2911 (Managed and very little control over) this houses our external internet link
cisco 2800 (Full control over, doing nothing now)
Ive currently set
fa0/0 to 192.168.10.5 talk to the 2911 which is on 192.168.10.1 and hopefully try to use this link as our "uplink" to the internet
fa0/1 is set to 172.16.15.254 which is main buildings network, so i can communicate with the router etc
fa/0/1/1 I have (hopefully) put into vlan20 on 10.10.10.1 (hopefully to be the gateway for 10.10.10.0 network which is to be the other building)
and i have a test computer on 10.10.10.2.
from the 2800 i can ping all addresses (uplink on 192.168.10.1, main network 172.16.10.0 and the test computer 10.10.10.2)
from the computer i can ping the router 10.10.10.1.
What I will eventually need to do, is have vlan20 network with internet access via the 192.168.10.1 link, and also to our servers.
I feel i am missing some step and have spent a few days now trying to learn cisco/routing/gateways to no avail. I believe i need to gateway the vlan via the internet link, to give them internet access (manually putting the computer on a 192 address gatewayed to the internet router works). and eventually The vlan20 will need access to our servers aswell as they will be accessing information from those (which are currently on the main network (172.*)
Using 1702 out of 196600 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
logging buffered 51200 warnings
enable secret 5 <removed>
enable password <removed>
no aaa new-model
ip name-server 172.16.10.12
crypto pki trustpoint TP-self-signed-2442068499
crypto pki certificate chain TP-self-signed-2442068499
certificate self-signed 01 nvram:IOS-Self-Sig#3939.cer
username admin privilege 15 password 0 <removed>
ip address 192.168.10.5 255.255.255.0
no mop enabled
ip address 172.16.15.254 255.255.248.0
description VLan 20 - IT Support
switchport access vlan 20
no ip address
ip address 10.10.10.1 255.255.255.0
ip default-gateway 192.168.10.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.10.1
ip route 10.10.10.0 255.255.255.0 192.168.1.1
ip http server
ip http authentication local
ip http secure-server
snmp-server community public RO
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
I would say that you have made a pretty good start. I see a couple of things in the config that you have posted.
- the default-gateway command would be used only if the router starts acting as an IP host. Having the command in the config does not hurt anything, but it is not accomplishing much.
- you have a static route for 10.10.10.0 which you do not need. That subnet is a connected route and therefore you do not need a route statement for it. And why would you use 192.168.1.1 as the next hop?
- you have a static default route configured, which is a good thing. But why use 172.16.10.1 as the next hop? It would seem to make more sense to use 192.168.10.1 as the next hop.
You tell us that the test computer can ping the router at 10.10.10.1. But you do not tell us whether the test computer can ping anything else? As a start can the test computer ping the fa0/0 and fa0/1 interfaces on the 2800 router? For the test computer to ping the 2911 your posted config should work - but you will need a route on the 2911 that gets to 10.10.10.0 using the 2800 as a next hop. Similarly your config should route packets from the test computer to the main building network. But that network needs a route back to 10.10.10.0 for communications to be successful.
Thanks for the reply!
(and for not laughing at my config )
1) I read later in the day regarding default-gateway, so have removed that.
2) I was hoping to use 192.168.10.1 as a gateway to give access, but got it wrong have removed that aswell.
3) 172.16.10.1 was entered by mistake. guess my hands are on auto from working with our normal network, it was as you correctly said, intended to be 192.168.10.1.
some more info for you, if i directly connect the test pc to the 911, on a 126.96.36.199 ip and put the 911 as the gateway, i can connect to the internet just fine.
putting the test pc back onto the 2800, in its 10.10.10.2 address, i can ping all the up/up interfaces on the 2800 (this surprised me actually, i was expecting them to be "seperate". But that was just my impression.
Trying to ping 192.168.10.1 (the 2911) failes with a time out.
Due to the nature of the traffic on the remote building, The end-goal is hopefully to have vlan20 on a seperate range of ip's to the main network, without communications to the main network, other than our housed servers and internet. I suspect I will need to vlan the servers and enable routing between them. but I'm trying to learn one step at a time.
Thanks for the help so far.
I certainly agree about trying to learn one step at a time. And it looks to me like you are making progress.
I believe that when you attempt to ping from the test PC to the 2911 your ping gets to the 2911. But it does not have a route for the 10.10.10 network and so can not send a response. If you (or someone who has access) can configure a route on the 2911 for 10.10.10 with the 2800 as the next hop then I believe that you would be able to ping the 2911.
Once you can ping the 2911 you might want to try access to the Internet. I predict that you will have problems with that and that the problem will be about doing Network Address Translation for the 10.10.10 network. But go one step at a time.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion