Options

VLAN Seperation & WAN

tehbrostatehbrosta Member Posts: 9 ■□□□□□□□□□
in CCNA & CCENT
I got my hands on some equipment and I have a personal lab I would like to accomplish.Cisco Catalysts 3750Cisco Router 1800I want to create 2 VLANs, lets say VLAN 10 and VLAN 20 with addresses of 192.168.10.x and 192.168.20.x.The router would serve DCHP to both these networks.But I do not want traffic to cross vlans. I found this video that outlines the configuration to do this but at the end he can ping the other network.Configuring DHCP With Vlans - YouTubeI'm not looking for the answer, since that would defeat the purpose of the lab. I just need to know what I'm missing.Thank you
· Share on FacebookShare on Twitter

Comments

  • Options
    jayskatajayskata Member Posts: 97 ■■□□□□□□□□
    perhaps you can create an ACLs apply it to each of your segment that would block VLAN 10 traffic from going to VLAN 20.
    · Share on FacebookShare on Twitter
  • Options
    Dieg0MDieg0M Member Posts: 861
    Do routing between the two VLAN's and create an ACL networks to permit ICMP.
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • Options
    TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    Dieg0M wrote: »
    Do routing between the two VLAN's and create an ACL networks to permit ICMP.

    This and it will deny any traffic that is not icmp.
    Security Certification Roadmap
    · Share on FacebookShare on Twitter
  • Options
    Dieg0MDieg0M Member Posts: 861
    TechGuru80 wrote: »
    This and it will deny any traffic that is not icmp.
    That's what he wanted.
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • Options
    tehbrostatehbrosta Member Posts: 9 ■□□□□□□□□□
    Thank you for the replies. I didn't have to mess with ACL, at least yet. I have two VLANs 10 and 20. The router is acting as a DCHP server for both these networks and when I plug a computer into each VLAN they cannot ping each other. When they are on the same VLAN they can.

    It is a Cisco 1805 Router, with FastEthernet0/0, FastEthernet0/1 and then another bank of 4. I'm using fa0/1 for LAN and fa0/0 for WAN but its not working. I think I have everything set.

    From my 10.10.0.0 network (my house, I can ping the router 10.10.0.250)

    WAN
    IP 10.10.0.250
    Sub: 255.255.255.0
    Gateway: 10.10.0.1

    DNS 8.8.8.8
    DNS 8.8.4.4

    I just realized I don't have name servers in there, but I'm not able to ping 8.8.8.8 anyway.


    nsb-router#show runn
    Building configuration...


    Current configuration : 1971 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname nsb-router
    !
    boot-start-marker
    warm-reboot
    boot-end-marker
    !
    logging message-counter syslog
    enable secret 5 $1$i1xc$Y3PYOI90Evk9/IbFMY9bw.
    enable password admin
    !
    no aaa new-model
    ip source-route
    no ip routing
    !
    !
    !
    ip dhcp pool admin
    network 192.168.10.0 255.255.255.0
    default-router 192.168.10.1
    !
    ip dhcp pool production
    network 192.168.20.0 255.255.255.0
    default-router 192.168.20.1
    !
    !
    no ip cef
    no ip domain lookup
    multilink bundle-name authenticated
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface FastEthernet0/1/0
    shutdown
    !
    interface FastEthernet0/1/1
    shutdown
    !
    interface FastEthernet0/1/2
    shutdown
    !
    interface FastEthernet0/1/3
    shutdown
    !
    interface Cable-Modem0/0/0
    no ip address
    no ip route-cache
    shutdown
    !
    interface FastEthernet0/0
    description WAN
    ip address 10.10.0.250 255.255.255.0
    no ip route-cache
    speed auto
    half-duplex


    no mop enabled!
    interface FastEthernet0/1
    description Internal LAN
    ip address 192.168.10.1 255.255.255.0
    no ip route-cache
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.10
    encapsulation dot1Q 10
    ip address 192.168.10.1 255.255.255.0
    no ip route-cache
    !
    interface FastEthernet0/1.20
    encapsulation dot1Q 20
    ip address 192.168.20.1 255.255.255.0
    no ip route-cache
    !
    interface FastEthernet0/1.50
    encapsulation dot1Q 50 native
    ip address 192.168.50.1 255.255.255.0
    no ip route-cache
    !
    interface FastEthernet0/1.100
    encapsulation dot1Q 100
    ip address 192.168.100.1 255.255.255.0
    no ip route-cache
    !
    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 10.10.0.1
    !
    !
    ip http server
    !
    !
    !
    control-plane
    !
    banner motd ^C
    Unauthorized access prohibited!
    See Administrator
    ^C
    !
    line con 0
    password cisco
    login
    line aux 0
    line vty 0 4
    password admin
    login
    !
    scheduler allocate 20000 1000
    end
    · Share on FacebookShare on Twitter
  • Options
    Dieg0MDieg0M Member Posts: 861
    Is your router plugged into a switch and the port connecting to the switch is set up as a trunk port/dot1q? What is the default gateway on your switch? What is the default gateways on your Hosts?
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • Options
    tehbrostatehbrosta Member Posts: 9 ■□□□□□□□□□
    Yes, I believe this is correct.


    nbs-switch#show run
    Building configuration...


    Current configuration : 4626 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname nbs-switch
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$UWla$DxhVblY8iMwz/ygyVUXtC1
    enable password admin
    !
    !
    !
    no aaa new-model
    switch 1 provision ws-c3750-48p
    system mtu routing 1500
    !
    !
    !
    !
    !
    !
    !
    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    !
    !
    interface FastEthernet1/0/1
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/2
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/3
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/4
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/5
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/6
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/7
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/8
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/9
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/10
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/11
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/12
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/13
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/14
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/15
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/16
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet1/0/17
    switchport access vlan 20
    switchport mode access
    !
    interface FastEthernet1/0/18
    switchport access vlan 20
    switchport mode access
    !
    interface FastEthernet1/0/19
    switchport access vlan 20
    switchport mode access
    !
    interface FastEthernet1/0/20
    switchport access vlan 20




    ...






    interface FastEthernet1/0/47
    switchport mode access
    !
    interface FastEthernet1/0/48
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 50
    switchport mode trunk
    !
    interface GigabitEthernet1/0/1
    !
    interface GigabitEthernet1/0/2
    !
    interface GigabitEthernet1/0/3
    !
    interface GigabitEthernet1/0/4
    !
    interface Vlan1
    ip address 192.168.10.254 255.255.255.0
    !
    interface Vlan10
    description administration
    no ip address
    !
    interface Vlan20
    description production
    no ip address
    !
    interface Vlan50
    description native
    no ip address
    !
    interface Vlan100
    description mgt
    ip address 192.168.100.2 255.255.255.0
    !
    ip default-gateway 192.168.100.1
    ip classless
    ip http server
    ip http secure-server
    !
    !
    !
    line con 0
    line vty 0 4
    password admin
    login
    line vty 5 15
    password admin
    login
    !
    end
    · Share on FacebookShare on Twitter
  • Options
    Dieg0MDieg0M Member Posts: 861
    Take the IP address off interface FastEthernet0/1 of nsb-router. Rest looks good except that theres a typo in either your switch or routers hostname name.
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • Options
    tehbrostatehbrosta Member Posts: 9 ■□□□□□□□□□
    Ahh, thanks for the typo, good catch. I took the IP off fa0/1, and I added a name server. I did ipconfig /release /renew the NIC isnt getting a name server address via DHCP.

    Still no internet though.

    Any ideas?
    · Share on FacebookShare on Twitter
  • Options
    jayskatajayskata Member Posts: 97 ■■□□□□□□□□
    if it has no internet connection still..perhaps you need to activate NAT from your router in-out interface.
    · Share on FacebookShare on Twitter
  • Options
    Dieg0MDieg0M Member Posts: 861
    You don't even have a public IP address. How do you suppose you are going to communicate with the internet?
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • Options
    TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    Your VLANs should have an IP address set.
    Security Certification Roadmap
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    Why would the VLANs need IP's set on the switch?
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    tehbrostatehbrosta Member Posts: 9 ■□□□□□□□□□
    I gave it a static public IP.

    I add access list for the 10 network. Still no internet.

    Am I suppose to do something different because I have the VLANs?


    nsb-router#show run
    Building configuration...


    Current configuration : 2332 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname nsb-router
    !
    boot-start-marker
    warm-reboot
    boot-end-marker
    !
    logging message-counter syslog
    enable secret 5 $1$i1xc$Y3PYOI90Evk9/IbFMY9bw.
    enable password admin
    !
    no aaa new-model
    ip source-route
    no ip routing
    !
    !
    !
    !
    !
    ip dhcp pool admin
    network 192.168.10.0 255.255.255.0
    default-router 192.168.10.1
    dns-server 167.206.112.138 167.206.7.4
    !
    ip dhcp pool production
    network 192.168.20.0 255.255.255.0
    default-router 192.168.20.1
    dns-server 167.206.112.138 167.206.7.4
    !
    !
    no ip cef
    no ip domain lookup
    ip name-server 167.206.112.138
    ip name-server 167.206.7.4
    multilink bundle-name authenticated
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/1/0
    shutdown
    !
    interface FastEthernet0/1/1
    shutdown
    !
    interface FastEthernet0/1/2
    shutdown
    !
    interface FastEthernet0/1/3
    shutdown
    !
    interface Cable-Modem0/0/0
    no ip address
    no ip route-cache
    shutdown
    !
    interface FastEthernet0/0
    description WAN
    ip address 96.57.67.98 255.255.255.252
    ip nat outside
    ip virtual-reassembly
    no ip route-cache
    speed auto
    half-duplex
    no mop enabled
    !
    interface FastEthernet0/1
    description Internal LAN
    no ip address
    ip nat inside
    ip virtual-reassembly
    no ip route-cache
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.10
    encapsulation dot1Q 10
    ip address 192.168.10.1 255.255.255.0
    no ip route-cache
    !
    interface FastEthernet0/1.20
    encapsulation dot1Q 20
    ip address 192.168.20.1 255.255.255.0
    no ip route-cache
    !
    interface FastEthernet0/1.50
    encapsulation dot1Q 50 native
    ip address 192.168.50.1 255.255.255.0
    no ip route-cache
    !
    interface FastEthernet0/1.100
    encapsulation dot1Q 100
    ip address 192.168.100.1 255.255.255.0
    no ip route-cache
    !
    interface Vlan1
    no ip address
    no ip route-cache
    shutdown
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 96.57.67.97
    !
    !
    ip http server
    ip nat inside source list 1 interface FastEthernet0/0 overload
    ip nat inside source list 2 interface FastEthernet0/0 overload
    !
    access-list 1 permit 192.168.10.0
    !
    !
    control-plane
    !
    banner motd ^C
    Unauthorized access prohibited!
    See Administrator
    ^C
    !
    line con 0
    password cisco
    login
    line aux 0
    line vty 0 4
    password admin
    login
    !
    scheduler allocate 20000 1000
    end
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    I believe you need to put the 'ip nat inside' on your sub interfaces, not the main interface. You can check if anything is being translated with a 'show ip nat translations' command.

    One other thing it looks like you are currently only allowing the .10 sub int into your NAT.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    networker050184 wrote: »
    Why would the VLANs need IP's set on the switch?

    To designate the subnet and it's all part of the basic configuration. I don't have the config on my equipment right now but based on how routers need directions to go in one interface and out another for neighbors...I can't see it working without that set.
    Security Certification Roadmap
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    The router does have the addresses set on the sub interfaces. There is no need to put addresses on the switch.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    Dieg0MDieg0M Member Posts: 861
    TechGuru80 wrote: »
    To designate the subnet and it's all part of the basic configuration. I don't have the config on my equipment right now but based on how routers need directions to go in one interface and out another for neighbors...I can't see it working without that set.
    TechGuru, L2 is beeing done up to the router. No IP is needed because the frames are tagged with the VLAN ID.
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
Sign In or Register to comment.