I don't know if this will work, I'm confused.

Futura · March 2011

Hi Guys,
My ISP Provided me with preconfigured router, They don't let the users have the usernames/Passwords. And i'm trying to create a Lab like in CBT Nuggets.

Here's my attempt at getting it set up

I have a 800 series router and created two VLANS on it with SVI for each vlan.

Vlan1 eth ports 0 and 1, with SVI of 192.168.0.100 This connects to my ISP router.

I put a ip route of 0.0.0.0 0.0.0.0 192.168.0.1, this is the address of my existing ISP Router

This bit all works great, I can ping 4.2.2.2.

The problem lies with the other vlan.

Ports 2 3 are in vlan 2, with the SVI of 192.168.10.10

If I Extended Ping from 192.168.10.10 to 4.2.2.2 it times out but if I ping from 192.168.0.100 to 4.2.2.2 it works fine.

I have 'No Shut' all the ports and 'VLANS'

Im thinking that vlans do not route to each other? or maybe there is no default route for the network 192.168.10.0

Or am I totally confused!!

Spent four hours on this last night!!

SteveThing · March 2011

Can you provide the output of show run for us (scrubbing sensitive info of course)? What specific model of router is it? 861?

Futura · March 2011

Its a 877 with the Advanced IOS installed...

I'll have to do the Sh run later when i get home,, thanks

Pash · March 2011

Tbh I could be way off the mark with this, because its been a while.

Isnt VLAN trunking only supported on Fast ethernet ports? Hence why you cant communicate between the vlans?

But yeh a show run would help see more detail.

stuh84 · March 2011

Pash wrote: »

Tbh I could be way off the mark with this, because its been a while.

Isnt VLAN trunking only supported on Fast ethernet ports? Hence why you cant communicate between the vlans?

But yeh a show run would help see more detail.

You are correct, but this is an 877 with Fast Ethernet ports. I'm intrigued by whats in the configuration as we do this kind of thing all the time.

The only thing I could place it being would be that 192.168.0.0/24 range is NAT'd, but the 192.168.10.0/24 range isn't. Do you have any "nat inside" statements on your SVIs?

Looking over your original post it seems your connecting to an ISP router, it may be that the ISP router has no idea about the 192.168.10.0 network thinking about it, and either needs a static route placed in it (if it has the ability to), or you'd have to NAT your 192.168.10.0 traffic to appear in the 192.168.0.0 range.

Futura · March 2011

Wish I had my config with me, its really very basic,

No Nat set up, I havent set anything up.
No ACL's

I think you have a point about the original router, there is no option to Add routes to it either

Basically all I have done is set up the two Vlans, assign them to the relevent switch ports (2 for each vlan). Added the SVI ip addresses and then added in the static route for the default gateway of 192.168.0.1

Can ping 4.2.2.2 from vlan 1 but cannot ping from vlan 2.

I'll get the run off it as soon as i get home.

had a idea about connecting port 1 and 2 together with a cross over and setting them as trunk ports? Does this sound crazy

:

down77 · March 2011

Here are a few troubleshooting steps to get you started. Start with the basics and move from there:

Verify the physical topology
-is everything showing up/up?

Verify VLAN configuration
-proper encapsulation, proper subinterfaces, proper trunk config on the switch
-Verify VLANs are in your Vlan Database (sh vlan brief)

Verify Layer 3 connectivity
-Make sure BOTH vlans are showing in your routing table (most likely as directly connected)
-Double check your default gateway
-Double check interface config (Subnet Mask, Default Gateway) on attached workstations and/or SVIs

Additional Troubleshooting steps:
-From VLAN 1 can you ping the Gateway
-From VLAN 2 can you ping its Gateway
-From VLAN 1 can you ping an address on VLAN 2?
-From VLAN 2 can you ping an address on VLAN 1?
-From VLAN 1 can you ping an external address?
-From VLAN 2 can you ping an external address?

I know a few of the steps have already been performed, but you will always want to make sure your internal connectivity is sound before focusing on external connections. Make sure your inter-vlan connectivity is up first and chances are, that will fix your issue. After I have my morning coffee I may fire up an 1841 and post a Router on a Stick config to the ISP.

Futura · March 2011

down77 wrote: »

Verify VLAN configuration
-proper encapsulation, proper subinterfaces, proper trunk config on the switch
-Verify VLANs are in your Vlan Database (sh vlan brief)

I'm not using Subinterfaces, I'm using SVI's I dont think this 877 supports Subinterfaces. It only has four ports. And there is no trunk config either. Just two vlans.

the vlans show fine.

Thanks!

networker050184 · March 2011

I'd guess the provider router has no route back to your 192.168.10.10 range. The 192.168.0.0 network is directly connected to the provider route, hence the connectivity from that range. Give them a call and ask them to add a route and update their NAT if applicable and you will probably be good to go.

Futura · March 2011

networker050184 wrote: »

I'd guess the provider router has no route back to your 192.168.10.10 range. The 192.168.0.0 network is directly connected to the provider route, hence the connectivity from that range. Give them a call and ask them to add a route and update their NAT if applicable and you will probably be good to go.

This would make sense, is there anyway to confirm this?

I was trying to set up a nice lab to carry on with the rest of the CCNA, ACLs, Routing Protocols and NAT. Looks like I'll have to make do.

Shame that. Unless you know of any other way. Did you get what it was I was trying to do with the 877, split the lan ports so it would work like a router. Instead of using the Wan and Lan ports.

Just want a live testing system and to integrate my 3x 3550's and my 2x 1760's into it.

Many thanks

networker050184 · March 2011

You can confirm it by NATing everything to the 192.168.0.100 address. If that works then you pretty much know what the problem is.

Futura · March 2011

Many thanks for helping me out guys, I'd buy you all a beer. problems like this help me understand stuff a whole lot more.

Here's my experiment,. I put a laptop on each vlan subnet range and pointed the default gateways to the SVI's on each vlan. I could ping back and forth to each laptop from each vlan, everthing working a treat.

I could only ping the ISP Router from the laptop that was in the same vlan,

So my theory is that the routing was working fine from vlan to vlan but the ISP router does not know about the networks on other vlans because it has no routes or routing set up. Just like you guys said, also some good trouble shooting tips that i'll keep a hold of.

I havent started learning NAT yet, but its next on my list so i'll give the NAT experiments a try.

Thanks

SteveThing · March 2011

NAT, (Well PAT really) is pretty simple.

You create an ACL which will list IPs/Subnets you want to be NAT/PAT'ed. Then you decide which interface (or SVI) is going to be the inside of your network (private IPs) and which interface is going to be the outside (internet side). Then you apply the commands. For example:

Your inside networks could be:

192.168.10.0/24
192.168.100.0/24

Your outside interface would be 192.168.0.1 which will map each inside address's connection to a destination to a specific port (usually in the 48,000+ range) until that connection is terminated.

So HostA (192.168.100.14) googles "Snuffy Gibblets" and the outside interface would map 100.14 to port 51324 with an IP of 192.168.0.1 and talk to google on that port number. That way when google responds with "Here ya go wierdo" it will respond to your router's IP of 192.168.0.1 on port 51324. This mapping stays there until a TCP RST flag is sent from HostA or google (I think, correct me if I'm wrong).

How to configure this is like so:

Create standard ACL (must be standard ACL)

Router(config)# ip access-list standard NAT_IP_LIST
Router(config-std-nacl)# permit 192.168.10.0 255.255.255.0
Router(config-std-nacl)# permit 192.168.100.0 255.255.255.0
Router(config-std-nacl)# deny host 192.168.10.238 log
! this is an example of blocking a specific IP from getting to the internets
! such as an internal server
Router(config-std-nacl)# exit

Specify inside and outside interfaces:

Router(config)# int Vlan1
Router(config-if)# ip nat outside
Router(config-if)# int Vlan2
Router(config-if)# ip nat inside
Router(config-if)# exit

Apply NAT command:

Router(config)# ip nat inside source list NAT_IP_LIST interface Vlan1 overload
! Vlan1 would be replaced with the OUTSIDE interface, or the one that
! is connected to the internets of doom
Router(config)# exit

Verify NAT translations:

Router# show ip nat translations
Pro Inside global      Inside local          Outside local  Outside global
tcp 192.168.0.1:51324  192.168.100.14:51324  1.1.1.42:443   1.1.1.42:443

Notice the inside local is HostA's IP and the port numbers for Inside global and Inside local are the same? That is how it keeps track of who is talking to 1.1.1.42.

Hope that makes sense...

mattau · March 2011

Router(config-std-nacl)# permit 192.168.10.0 255.255.255.0
Router(config-std-nacl)# permit 192.168.100.0 255.255.255.0
Router(config-std-nacl)# deny host 192.168.10.238 log

is this right ? the wildcard masks should be the other way round shouldnt they?
0.0.0.255

sorry if i am wrong

SteveThing · March 2011

You are right... i was typing from memory. Wildcard Mask, not Network mask.

My bad

Futura · March 2011

SteveThing wrote: »
NAT, (Well PAT really) is pretty simple.

You create an ACL which will list IPs/Subnets you want to be NAT/PAT'ed. Then you decide which interface (or SVI) is going to be the inside of your network (private IPs) and which interface is going to be the outside (internet side). Then you apply the commands. For example:

Your inside networks could be:

192.168.10.0/24
192.168.100.0/24

Your outside interface would be 192.168.0.1 which will map each inside address's connection to a destination to a specific port (usually in the 48,000+ range) until that connection is terminated.

So HostA (192.168.100.14) googles "Snuffy Gibblets" and the outside interface would map 100.14 to port 51324 with an IP of 192.168.0.1 and talk to google on that port number. That way when google responds with "Here ya go wierdo" it will respond to your router's IP of 192.168.0.1 on port 51324. This mapping stays there until a TCP RST flag is sent from HostA or google (I think, correct me if I'm wrong).

How to configure this is like so:

Create standard ACL (must be standard ACL)
Router(config)# ip access-list standard NAT_IP_LIST
Router(config-std-nacl)# permit 192.168.10.0 255.255.255.0
Router(config-std-nacl)# permit 192.168.100.0 255.255.255.0
Router(config-std-nacl)# deny host 192.168.10.238 log
! this is an example of blocking a specific IP from getting to the internets
! such as an internal server
Router(config-std-nacl)# exit
Specify inside and outside interfaces:
Router(config)# int Vlan1
Router(config-if)# ip nat outside
Router(config-if)# int Vlan2
Router(config-if)# ip nat inside
Router(config-if)# exit
Apply NAT command:
Router(config)# ip nat inside source list NAT_IP_LIST interface Vlan1 overload
! Vlan1 would be replaced with the OUTSIDE interface, or the one that
! is connected to the internets of doom
Router(config)# exit
Verify NAT translations:
Router# show ip nat translations
Pro Inside global      Inside local          Outside local  Outside global
tcp 192.168.0.1:51324  192.168.100.14:51324  1.1.1.42:443   1.1.1.42:443
Notice the inside local is HostA's IP and the port numbers for Inside global and Inside local are the same? That is how it keeps track of who is talking to 1.1.1.42.

Hope that makes sense...

1 word = 'Amazing'.

!
interface FastEthernet0
switchport access vlan 2
no keepalive
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.0.100 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.10.10 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 192.168.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 192.168.10.0 255.255.255.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT_IP_LIST interface Vlan1 overload
!
ip access-list standard NAT_IP_LIST
permit 192.168.0.0 0.0.255.255
!
!

I adjusted the wildcard mask to suit a few more vlans i'm going to add.

Game on:D

SteveThing · March 2011

Glad it worked for ya. I'm using the vlan trick on my 871W since it only has an ADSL port as a physical routed port and I'm currently using a cable modem for my ISP. I really like the 800 series routers aside from that.

I don't know if this will work, I'm confused.

Comments