VLAN Seperation & WAN
tehbrosta
Member Posts: 9 ■□□□□□□□□□
in CCNA & CCENT
I got my hands on some equipment and I have a personal lab I would like to accomplish.Cisco Catalysts 3750Cisco Router 1800I want to create 2 VLANs, lets say VLAN 10 and VLAN 20 with addresses of 192.168.10.x and 192.168.20.x.The router would serve DCHP to both these networks.But I do not want traffic to cross vlans. I found this video that outlines the configuration to do this but at the end he can ping the other network.Configuring DHCP With Vlans - YouTubeI'm not looking for the answer, since that would defeat the purpose of the lab. I just need to know what I'm missing.Thank you
Comments
-
jayskata
Member Posts: 97 ■■□□□□□□□□
perhaps you can create an ACLs apply it to each of your segment that would block VLAN 10 traffic from going to VLAN 20. -
Dieg0M
Member Posts: 861
Do routing between the two VLAN's and create an ACL networks to permit ICMP.Follow my CCDE journey at www.routingnull0.com -
TechGuru80
Member Posts: 1,539 ■■■■■■□□□□
Do routing between the two VLAN's and create an ACL networks to permit ICMP.
This and it will deny any traffic that is not icmp. -
Dieg0M
Member Posts: 861
That's what he wanted.TechGuru80 wrote: »This and it will deny any traffic that is not icmp.Follow my CCDE journey at www.routingnull0.com -
tehbrosta
Member Posts: 9 ■□□□□□□□□□
Thank you for the replies. I didn't have to mess with ACL, at least yet. I have two VLANs 10 and 20. The router is acting as a DCHP server for both these networks and when I plug a computer into each VLAN they cannot ping each other. When they are on the same VLAN they can.
It is a Cisco 1805 Router, with FastEthernet0/0, FastEthernet0/1 and then another bank of 4. I'm using fa0/1 for LAN and fa0/0 for WAN but its not working. I think I have everything set.
From my 10.10.0.0 network (my house, I can ping the router 10.10.0.250)
WAN
IP 10.10.0.250
Sub: 255.255.255.0
Gateway: 10.10.0.1
DNS 8.8.8.8
DNS 8.8.4.4
I just realized I don't have name servers in there, but I'm not able to ping 8.8.8.8 anyway.
nsb-router#show runn
Building configuration...
Current configuration : 1971 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname nsb-router
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$i1xc$Y3PYOI90Evk9/IbFMY9bw.
enable password admin
!
no aaa new-model
ip source-route
no ip routing
!
!
!
ip dhcp pool admin
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
ip dhcp pool production
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
!
no ip cef
no ip domain lookup
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/1/0
shutdown
!
interface FastEthernet0/1/1
shutdown
!
interface FastEthernet0/1/2
shutdown
!
interface FastEthernet0/1/3
shutdown
!
interface Cable-Modem0/0/0
no ip address
no ip route-cache
shutdown
!
interface FastEthernet0/0
description WAN
ip address 10.10.0.250 255.255.255.0
no ip route-cache
speed auto
half-duplex
no mop enabled!
interface FastEthernet0/1
description Internal LAN
ip address 192.168.10.1 255.255.255.0
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
no ip route-cache
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
no ip route-cache
!
interface FastEthernet0/1.50
encapsulation dot1Q 50 native
ip address 192.168.50.1 255.255.255.0
no ip route-cache
!
interface FastEthernet0/1.100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
no ip route-cache
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.0.1
!
!
ip http server
!
!
!
control-plane
!
banner motd ^C
Unauthorized access prohibited!
See Administrator
^C
!
line con 0
password cisco
login
line aux 0
line vty 0 4
password admin
login
!
scheduler allocate 20000 1000
end -
Dieg0M
Member Posts: 861
Is your router plugged into a switch and the port connecting to the switch is set up as a trunk port/dot1q? What is the default gateway on your switch? What is the default gateways on your Hosts?Follow my CCDE journey at www.routingnull0.com
-
tehbrosta
Member Posts: 9 ■□□□□□□□□□
Yes, I believe this is correct.
nbs-switch#show run
Building configuration...
Current configuration : 4626 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname nbs-switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$UWla$DxhVblY8iMwz/ygyVUXtC1
enable password admin
!
!
!
no aaa new-model
switch 1 provision ws-c3750-48p
system mtu routing 1500
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/2
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/4
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/5
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/6
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/7
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/8
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/9
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/10
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/11
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/12
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/13
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/14
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/15
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/16
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/17
switchport access vlan 20
switchport mode access
!
interface FastEthernet1/0/18
switchport access vlan 20
switchport mode access
!
interface FastEthernet1/0/19
switchport access vlan 20
switchport mode access
!
interface FastEthernet1/0/20
switchport access vlan 20
...
interface FastEthernet1/0/47
switchport mode access
!
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport mode trunk
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
ip address 192.168.10.254 255.255.255.0
!
interface Vlan10
description administration
no ip address
!
interface Vlan20
description production
no ip address
!
interface Vlan50
description native
no ip address
!
interface Vlan100
description mgt
ip address 192.168.100.2 255.255.255.0
!
ip default-gateway 192.168.100.1
ip classless
ip http server
ip http secure-server
!
!
!
line con 0
line vty 0 4
password admin
login
line vty 5 15
password admin
login
!
end -
Dieg0M
Member Posts: 861
Take the IP address off interface FastEthernet0/1 of nsb-router. Rest looks good except that theres a typo in either your switch or routers hostname name.Follow my CCDE journey at www.routingnull0.com
-
tehbrosta
Member Posts: 9 ■□□□□□□□□□
Ahh, thanks for the typo, good catch. I took the IP off fa0/1, and I added a name server. I did ipconfig /release /renew the NIC isnt getting a name server address via DHCP.
Still no internet though.
Any ideas? -
jayskata
Member Posts: 97 ■■□□□□□□□□
if it has no internet connection still..perhaps you need to activate NAT from your router in-out interface.
-
Dieg0M
Member Posts: 861
You don't even have a public IP address. How do you suppose you are going to communicate with the internet?Follow my CCDE journey at www.routingnull0.com
-
networker050184
Mod Posts: 11,962 Mod
Why would the VLANs need IP's set on the switch?An expert is a man who has made all the mistakes which can be made. -
tehbrosta
Member Posts: 9 ■□□□□□□□□□
I gave it a static public IP.
I add access list for the 10 network. Still no internet.
Am I suppose to do something different because I have the VLANs?
nsb-router#show run
Building configuration...
Current configuration : 2332 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname nsb-router
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$i1xc$Y3PYOI90Evk9/IbFMY9bw.
enable password admin
!
no aaa new-model
ip source-route
no ip routing
!
!
!
!
!
ip dhcp pool admin
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 167.206.112.138 167.206.7.4
!
ip dhcp pool production
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 167.206.112.138 167.206.7.4
!
!
no ip cef
no ip domain lookup
ip name-server 167.206.112.138
ip name-server 167.206.7.4
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/1/0
shutdown
!
interface FastEthernet0/1/1
shutdown
!
interface FastEthernet0/1/2
shutdown
!
interface FastEthernet0/1/3
shutdown
!
interface Cable-Modem0/0/0
no ip address
no ip route-cache
shutdown
!
interface FastEthernet0/0
description WAN
ip address 96.57.67.98 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache
speed auto
half-duplex
no mop enabled
!
interface FastEthernet0/1
description Internal LAN
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
no ip route-cache
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
no ip route-cache
!
interface FastEthernet0/1.50
encapsulation dot1Q 50 native
ip address 192.168.50.1 255.255.255.0
no ip route-cache
!
interface FastEthernet0/1.100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
no ip route-cache
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 96.57.67.97
!
!
ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.10.0
!
!
control-plane
!
banner motd ^C
Unauthorized access prohibited!
See Administrator
^C
!
line con 0
password cisco
login
line aux 0
line vty 0 4
password admin
login
!
scheduler allocate 20000 1000
end -
networker050184
Mod Posts: 11,962 Mod
I believe you need to put the 'ip nat inside' on your sub interfaces, not the main interface. You can check if anything is being translated with a 'show ip nat translations' command.
One other thing it looks like you are currently only allowing the .10 sub int into your NAT.An expert is a man who has made all the mistakes which can be made. -
TechGuru80
Member Posts: 1,539 ■■■■■■□□□□
networker050184 wrote: »Why would the VLANs need IP's set on the switch?
To designate the subnet and it's all part of the basic configuration. I don't have the config on my equipment right now but based on how routers need directions to go in one interface and out another for neighbors...I can't see it working without that set. -
networker050184
Mod Posts: 11,962 Mod
The router does have the addresses set on the sub interfaces. There is no need to put addresses on the switch.An expert is a man who has made all the mistakes which can be made.
-
Dieg0M
Member Posts: 861
TechGuru, L2 is beeing done up to the router. No IP is needed because the frames are tagged with the VLAN ID.TechGuru80 wrote: »To designate the subnet and it's all part of the basic configuration. I don't have the config on my equipment right now but based on how routers need directions to go in one interface and out another for neighbors...I can't see it working without that set.Follow my CCDE journey at www.routingnull0.com
