cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1646
Views
20
Helpful
8
Replies

887VA Internal IP Configuration

esprit1987
Level 1
Level 1

Hi,

 

Hope you can help.

 

I am installing a 877VA and connecting to 3750 Core and need to access video streams over VPN to 3 internal inter-routed VLANS...

 

VLAN1 = 192.168.153.1\24

VLAN2 = 192.168.150.254\24

VLAN3 = 192.168.151.254\24

 

I have my 877 working over VPN but i'm stuck on how best access resources on my internal network above? As it stands I can only connect to my test subnet of 10.10.10.0 255.255.255.248. I have included initial config below...

 

version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
ip dhcp excluded-address 10.10.10.4 10.10.10.6
!
ip dhcp pool cvo-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
dns-server 8.8.8.8 8.4.4.8
lease 0 2
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.4.4.8
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
controller VDSL 0
no cdp run
!
!
class-map type inspect match-all INTERNAL_DOMAIN_FILTER
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group ******************
key ************
pool vpn_client_pool
acl vpn_resources
max-users 10
crypto isakmp profile vpn_ike_profile
match identity group *************
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set vpn_transform esp-3des esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile vpn_profile
set transform-set vpn_transform
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description PrimaryWANDesc_WAN
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn_profile
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$CVO$
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
description PrimaryWANDesc_WAN_0.1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp mtu adaptive
ppp authentication chap callin
ppp chap hostname ************************
ppp chap password 0 **************************
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip local pool vpn_client_pool 10.10.10.4 10.10.10.6
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 10 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended vpn_resources
permit ip 10.10.10.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 remark nat-pool
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 remark vty
access-list 23 deny any log
!
!
!
ipv6 access-list V6-FILTER
permit icmp any any
deny ipv6 any any log
!
ipv6 access-list ipv6_deny
deny ipv6 any any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!

!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
ipv6 access-class ipv6_deny in
transport input telnet
escape-character 3
!
scheduler allocate 20000 1000
!
!
!
!
!
!
end

2 Accepted Solutions

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello esprit1987,

the first step is to create a shared IP subnet between the 877VA and the C3750 core switch.

The best thing is to add a new Vlan like vlan 50 on both devices

 

877VA

config t

vlan 50

to-core

exit

interface vlan 50

ip address 10.10.50.1 255.255.255.0

no shut

 

interface fastethernet3

description to switch 3750 port gi1/0/X

switchport

switchport mode access

switchport access vlan 50

!

Then you need to add three static routes to internal networks with nexthop C3750:Vlan50 IP address

 

ip route 192.168.153.0 255.255.255.0 10.10.50.2

ip route 192.168.150.0 255.255.255.0 10.10.50.2

ip route 192.168.151.0 255.255.255.0 10.10.50.2

 

on the switch C3750 you do the following

 

config t

vlan 50

name tocore

exit

interface vlan 50

desc to router 877VA

ip address 10.10.50.2 255.255.255.0

no shut

 

int gi1/0/12

description to router 877VA:fas3

switchport

switchport mode access

switchport access vlan 50

no shut

!

On C3750 you will have a default route pointing to 877VA address in Vlan 50

ip route 0.0.0.0 0.0.0.0 10.10.50.1

 

At this point you should be able to ping from network 10.10.10.1 to each internal networks

 

B) VPN extension

 

You are using the IPSEC VPN as a remote access the current ACL should be modified to access also the internal networks added in section a) as static routes

 

p access-list extended vpn_resources
permit ip 10.10.10.0 0.0.0.255 any

! lines to be added if needed:

permit ip 192.168.153.0. 0.0.0.255 any

permit ip 192.168.150.0 0.0.0.255 any

permit ip 192.168.151.0 0.0.0.255 any

 

note: I'm not sure these additional lines are needed

 

Hope to help

Giuseppe

 

 

 

 

View solution in original post

Hello esprit1987,

connect two unused FastE ports on 877VA with a crossover LAN cable this should make one port to be STP Designated port for Vlan1 and the other to be blocked and SVI Vlan1 should come up/up (remove spanning-tree portfast on both ports  before doing this to avoid the possible creation of a bridging loop!!!)

Note: a straight cable may work if FE ports support auto cross connect MDI-X.

 

 

Hope to help

Giuseppe

 

View solution in original post

8 Replies 8

Hello,

 

I assume the 3750 is doing the inter-Vlan routing ? Can the Vlans on the 3750 reach the 10.10.10.0/29 address space defined on the router ?

One thing: you cannot have Vlan1 on both the router and the switch, in two different address spaces.

 

Best to post the full configuration of your 3750 as well... 

Thanks for your prompt reply.

 

Thats correct my 3750 is doing the inter VLAN routing. Unfortunatly I couldn't ping anything outside of my VPN or visa versa. I did try creating a VLAN 10 Interface to solve this issue of VLAN1 conflict but no joy. Must me something I'm missing.

 

Here is my 3750 config...

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW-5
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
ip address 192.168.140.1 255.255.255.0
!
interface GigabitEthernet0/1
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/5
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/6
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/7
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/8
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/9
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/10
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/11
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/12
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/13
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/14
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/15
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/16
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/17
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/18
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/19
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/20
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/21
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/22
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/23
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/24
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/25
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/26
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/27
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/28
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/29
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/30
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/31
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/32
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/33
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/34
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/35
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/36
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/37
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/38
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/39
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/40
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/41
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/42
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/43
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/44
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/45
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/46
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/47
description Building 5 LAN
switchport access vlan 2
switchport mode access
auto qos voip trust
spanning-tree portfast
!
interface GigabitEthernet0/48
description P2P LINK BUILDING 4
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport mode trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/49
switchport trunk encapsulation dot1q
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface TenGigabitEthernet0/1
switchport trunk encapsulation dot1q
!
interface TenGigabitEthernet0/2
description P2P LINK BUILDING 3
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface Vlan1
ip address 192.168.153.1 255.255.255.0
!
interface Vlan2
description BUILDING 5
ip address 192.168.150.254 255.255.255.0
!
interface Vlan3
description BUILDING 4
ip address 192.168.151.254 255.255.255.0
!
ip classless
ip route 192.168.151.0 255.255.255.0 192.168.151.1
ip route 192.168.153.0 255.255.255.0 192.168.153.254
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password ********
login
length 0
line vty 5 15
login
length 0

 

Hello,

 

while I was working on the specifics, it looks like Giuseppe already provided the answer. Either way, I'll post what I have come up with anyway, sorry if I am being redundant.

I have summarized your 192.168.x.x networks into one statement, if you don't want that, you need to specify each subnet in one separate line. I have also added the internal networks connected to your switch to the NAT access list, so they can access the Internet (optional of course, if you don't want that).

 

Changes/additions are marked in bold:

 

Router 

 

version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
ip dhcp excluded-address 10.10.10.4 10.10.10.6
!
ip dhcp pool cvo-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
dns-server 8.8.8.8 8.4.4.8
lease 0 2
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.4.4.8
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
controller VDSL 0
no cdp run
!
class-map type inspect match-all INTERNAL_DOMAIN_FILTER
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group ******************
key ************
pool vpn_client_pool
acl vpn_resources
max-users 10
crypto isakmp profile vpn_ike_profile
match identity group *************
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set vpn_transform esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile vpn_profile
set transform-set vpn_transform
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description PrimaryWANDesc_WAN
pvc 0/38
pppoe-client dial-pool-number 1
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description Downlink to 3750 Switch
switchport mode access
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn_profile
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$CVO$
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Vlan4
description Downlink to 3750 Switch
ip address 172.16.1.1 255.255.255.252
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
description PrimaryWANDesc_WAN_0.1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp mtu adaptive
ppp authentication chap callin
ppp chap hostname ************************
ppp chap password 0 **************************
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip local pool vpn_client_pool 10.10.10.4 10.10.10.6
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 10 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.144.0 0.0.15.255 172.16.1.2
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended vpn_resources
permit ip 10.10.10.0 0.0.0.255 any
permit ip 192.168.144.0 0.0.15.255
!
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.144.0 0.0.15.255
access-list 10 remark nat-pool
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 remark vty
access-list 23 deny any log
!
ipv6 access-list V6-FILTER
permit icmp any any
deny ipv6 any any log
!
ipv6 access-list ipv6_deny
deny ipv6 any any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
ipv6 access-class ipv6_deny in
transport input telnet
escape-character 3
!
scheduler allocate 20000 1000
!
end

 

Switch

 

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW-5
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
ip address 192.168.140.1 255.255.255.0
!
interface GigabitEthernet0/1
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/5
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/6
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/7
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/8
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/9
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/10
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/11
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/12
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/13
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/14
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/15
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/16
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/17
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/18
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/19
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/20
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/21
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/22
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/23
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/24
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/25
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/26
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/27
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/28
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/29
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/30
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/31
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/32
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/33
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/34
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/35
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/36
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/37
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/38
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/39
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/40
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/41
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/42
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/43
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/44
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/45
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/46
description Building 5 LAN
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/47
description Building 5 LAN
switchport access vlan 2
switchport mode access
auto qos voip trust
spanning-tree portfast
!
interface GigabitEthernet0/48
description P2P LINK BUILDING 4
switchport trunk encapsulation dot1q
switchport trunk native vlan 3
switchport mode trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/49
switchport trunk encapsulation dot1q
!
interface GigabitEthernet0/50
description Uplink to Router
switchport mode access
switchport access vlan 4

spanning-tree portfast
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface TenGigabitEthernet0/1
switchport trunk encapsulation dot1q
!
interface TenGigabitEthernet0/2
description P2P LINK BUILDING 3
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface Vlan1
ip address 192.168.153.1 255.255.255.0
!
interface Vlan2
description BUILDING 5
ip address 192.168.150.254 255.255.255.0
!
interface Vlan3
description BUILDING 4
ip address 192.168.151.254 255.255.255.0
!
interface Vlan4
description Uplink to Router
ip address 172.16.1.2 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 192.168.151.0 255.255.255.0 192.168.151.1
ip route 192.168.153.0 255.255.255.0 192.168.153.254
ip http server
!
control-plane
!
line con 0
line vty 0 4
password ********
login
length 0
line vty 5 15
login
length 0

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello esprit1987,

the first step is to create a shared IP subnet between the 877VA and the C3750 core switch.

The best thing is to add a new Vlan like vlan 50 on both devices

 

877VA

config t

vlan 50

to-core

exit

interface vlan 50

ip address 10.10.50.1 255.255.255.0

no shut

 

interface fastethernet3

description to switch 3750 port gi1/0/X

switchport

switchport mode access

switchport access vlan 50

!

Then you need to add three static routes to internal networks with nexthop C3750:Vlan50 IP address

 

ip route 192.168.153.0 255.255.255.0 10.10.50.2

ip route 192.168.150.0 255.255.255.0 10.10.50.2

ip route 192.168.151.0 255.255.255.0 10.10.50.2

 

on the switch C3750 you do the following

 

config t

vlan 50

name tocore

exit

interface vlan 50

desc to router 877VA

ip address 10.10.50.2 255.255.255.0

no shut

 

int gi1/0/12

description to router 877VA:fas3

switchport

switchport mode access

switchport access vlan 50

no shut

!

On C3750 you will have a default route pointing to 877VA address in Vlan 50

ip route 0.0.0.0 0.0.0.0 10.10.50.1

 

At this point you should be able to ping from network 10.10.10.1 to each internal networks

 

B) VPN extension

 

You are using the IPSEC VPN as a remote access the current ACL should be modified to access also the internal networks added in section a) as static routes

 

p access-list extended vpn_resources
permit ip 10.10.10.0 0.0.0.255 any

! lines to be added if needed:

permit ip 192.168.153.0. 0.0.0.255 any

permit ip 192.168.150.0 0.0.0.255 any

permit ip 192.168.151.0 0.0.0.255 any

 

note: I'm not sure these additional lines are needed

 

Hope to help

Giuseppe

 

 

 

 

Looks positive, much appreciated.
I'll give this ago and I will up date with progress...

Hi Both,

I think we're nearly there with the config provided, however, I cannot ping across from 10.10.10.0 from the VPN connection because now I am using FE3 as VLAN 50 to the 3750, VLAN1 interface is down. How do I keep this interface UP when nothing is plugged into a VLAN1 port?

Hello esprit1987,

connect two unused FastE ports on 877VA with a crossover LAN cable this should make one port to be STP Designated port for Vlan1 and the other to be blocked and SVI Vlan1 should come up/up (remove spanning-tree portfast on both ports  before doing this to avoid the possible creation of a bridging loop!!!)

Note: a straight cable may work if FE ports support auto cross connect MDI-X.

 

 

Hope to help

Giuseppe

 

Thanks for your assistance, all working okay. Now to live deplyment...

Review Cisco Networking for a $25 gift card