Solved: On switch you do not need to - Page 3

j_j624001 · ‎12-06-2015

Hello;

I hope someone can provide me with extreme help on getting an internal network up and running; i had one internal network up and running before; but it seems like my second network were lagging and timing out then one day at work i had a power surge when i got home that cause a major shutdown all my equipment which i was unable to save configuration on my router and switch. So at this point im kinda stuck on what else i need to do. I was able to do a test on one of my computers; and at first my dhcp on my router was unable to provide my computer an ip address; so i had to change my computer to a static ip in order to connect to my router; once it was connected to my router i wasn't unable to connect to the internet; so after reviewing my configuration on the switch and router i was unable to pinpoint the problem if it was on the switch or on the router. Hopefully someone can provide some advice on what i need to do or change in order to get my internal network up and running. Listed below is my configuration of my router and switch please help !!!!!!!!!

Router config

ersion 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

clock calendar-valid

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.0.49

ip dhcp excluded-address 10.10.0.75 10.10.0.255

!

ip dhcp pool R_POOL

import all

network 10.10.0.0 255.255.255.0

update dns

default-router 10.10.0.1

dns-server 192.168.0.1

domain-name R.com

update arp

!

interface FastEthernet0

description OUT

ip address 192.168.0.80 255.255.255.0

ip access-group 100 out

ip nat outside

ip virtual-reassembly

speed auto

full-duplex

vlan-id dot1q 192

description OUT

pppoe enable

exit-vlan-config

!

interface FastEthernet1

ip address 10.10.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

speed 100

full-duplex

vlan-id dot1q 10

description IN

pppoe enable

exit-vlan-config

!

interface FastEthernet1.92

description OUT

encapsulation dot1Q 192

ip address dhcp client-id FastEthernet0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

pppoe enable group global

!

interface Vlan192

no ip address

ip verify unicast source reachable-via any

ip mask-reply

ip accounting output-packets

ip nat outside

ip virtual-reassembly

!

interface Vlan10

no ip address

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 (Public IP)

!

ip nat pool pool1 192.168.0.80 192.168.0.255 netmask 0.0.0.0

ip nat inside source list 100 pool pool1

!

access-list 100 remark NAT Rule

access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq domain any

access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq www any

access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq 443 any

access-list 100 permit tcp 0.0.0.0 255.255.255.0 eq 8080 any

access-list 100 permit ip 0.0.0.1 255.255.255.0 any

access-list 100 permit udp 0.0.0.1 255.255.255.0 any

access-list 100 permit tcp 0.0.0.1 255.255.255.0 any

Switch Config

hostname S1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

system mtu routing 1998

no ip subnet-zero

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/12

description test 192

switchport access vlan 192

switchport trunk native vlan 192

switchport trunk allowed vlan 192

switchport trunk pruning vlan 192

switchport mode trunk

switchport nonegotiate

switchport port-security mac-address sticky

shutdown

speed 100

duplex full

spanning-tree portfast trunk

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface FastEthernet0/12

description test 10

switchport access vlan 10

switchport trunk native vlan 10

switchport trunk allowed vlan 10

switchport trunk pruning vlan 10

switchport mode trunk

switchport nonegotiate

switchport port-security mac-address sticky

shutdown

speed 100

duplex full

spanning-tree portfast trunk

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface GigabitEthernet0/1

description Out-to-WAN

switchport access vlan 192

switchport trunk native vlan 192

switchport trunk allowed vlan 192

switchport trunk pruning vlan 192

switchport mode trunk

switchport nonegotiate

switchport port-security mac-address sticky

speed 1000

duplex full

spanning-tree portfast

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface GigabitEthernet0/2

description TRUNK-to-FE0/1

switchport access vlan 10

switchport trunk native vlan 10

switchport trunk allowed vlan 10

switchport trunk pruning vlan 10

switchport mode trunk

switchport nonegotiate

switchport port-security mac-address sticky

speed 100

duplex full

spanning-tree portfast

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface Vlan10

description IN

ip address 10.10.0.2 255.255.255.0

ip mask-reply

ip information-reply

ip security dedicated unclassified genser

ip security add

ip security first

no ip route-cache

spanning-tree portfast trunk

!

interface Vlan192

description OUT

ip address dhcp client-id Vlan192

ip mask-reply

ip information-reply

ip accounting output-packets

ip security dedicated unclassified genser

ip security add

ip security first

no ip route-cache

ip tcp adjust-mss 1460

spanning-tree portfast trunk

Masoud Pourshabanian · ‎12-08-2015

both router and switches configurations are empty?

I did not get your last qustion. Connect to what?

set this commans on your router. Then,

interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip nat outside
no sh
!
!
interface FastEthernet1
des LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
no sh

ip nat inside source list 50 interface FastEthernet0 overload
!

access-list 50 permit 10.10.0.0 0.0.255.255

ip route 0.0.0.0 0.0.0.0 192.168.0.1

Ping 10.10.0.1 from a client

ping 192.168.0.1 from router

If you have both ping, check the internet from the PC. Config IP and DNS manually on that PC.

j_j624001 · ‎12-08-2015

Yes router and switch configurations were empty;

yes my switch has two gigabit port 0/1 and 0/2; so i was wondering do i need to connect to gigbit port 0/2 ??

Yes from the router i can ping both; but on my test laptop i can't ping 10.10.0.1

C:\Users\zzle>ping 10.10.0.1

Pinging 10.10.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.10.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Masoud Pourshabanian · ‎12-08-2015

It does not matter. You can connect any port of switch you like.

Your laptop is connected to which port? Is it connected to one of the switch interfaces?

check ip of your laptop it must be 10.10.0.X.

Check interface FastEthernet1 . It must be up.

j_j624001 · ‎12-08-2015

ok just curious on that addional switch gigabit port; no worries there;

My laptop is now connected to a switch port fa0/11 for testing purpose like what we doing now; Yes interface fa0/11; but sry my fault slow moment there lol;

im able to ping fa1 to my router from my laptop forgot to connect to my switch; Sry lol

Pinging 10.10.0.1 with 32 bytes of data:
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255
Reply from 10.10.0.1: bytes=32 time<1ms TTL=255

Ping statistics for 10.10.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Masoud Pourshabanian · ‎12-08-2015

You must have internet on your laptop if you have set IP and default gateway and DNS on your laptop.

Can you ping 4.2.2.4

or 8.8.8.8 on your laptop?

j_j624001 · ‎12-08-2015

Yes i can ping both ip address from my laptop; yes i internet access; but no i didn't set no ip or default gw on my laptop; my router pick it up which is strange cause i don't have dhcp on my router config yet.

Pinging 4.2.2.4 with 32 bytes of data:
Reply from 4.2.2.4: bytes=32 time=53ms TTL=53
Reply from 4.2.2.4: bytes=32 time=27ms TTL=53
Reply from 4.2.2.4: bytes=32 time=35ms TTL=53
Reply from 4.2.2.4: bytes=32 time=32ms TTL=53

Ping statistics for 4.2.2.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 53ms, Average = 36ms

C:\Users\zzle>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=28ms TTL=49
Reply from 8.8.8.8: bytes=32 time=30ms TTL=49
Reply from 8.8.8.8: bytes=32 time=44ms TTL=49
Reply from 8.8.8.8: bytes=32 time=39ms TTL=49

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 28ms, Maximum = 44ms, Average = 35ms

Building configuration...

Current configuration : 1804 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet1
description LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex

ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255

Masoud Pourshabanian · ‎12-08-2015

I do not think your router is giving IP. Try another client.

You are all set. Only with some lines of configurations.

1- Add DHCP configuration to your router.

2- on switch

Interface VLAN 1

ip address 10.10.0.2 255.255.0.0 [ make sure this IP is available].

no shut

3- On both

IP domain-name test.com [name is not important]

ip ssh version 2

crypto key generate rsa [ several enter ]

usename xxxx secret xxxx

enable password xxxx

line vty 0 4

login local

Check internet on all your client.

check ssh to your switch and router from a PC connected to switch.

Give me the result.

j_j624001 · ‎12-08-2015

ok;

So i able to ssh into my router from my client computer; but the configuraiton you posted for switch i don't have ip ssh version 2 or crypto key generate rsa in global configuration; but i am able to use putty to ssh onto my router on the 10.10.0.0 network from my laptop. See configuraiton for both router and switch as of now.

Switch

Building configuration...

Current configuration : 1615 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1998
ip subnet-zero
!
ip domain-name test.com
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending

!

interface Vlan1
ip address 10.10.0.2 255.255.255.0
no ip route-cache

Router

hostname R1
!
boot-start-marker
boot-end-marker
!
enable password XXXXXX
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool R_POOL
   import all
   network 10.10.0.0 255.255.255.0
   update dns
   default-router 10.10.0.1
   dns-server 192.168.0.1 8.8.8.8 8.8.4.4
   domain-name R.com
   update arp
!
!
ip domain name test.com
ip ssh version 2
!
!
!
username XX secret 5 $1$VebO$euV4JjlfJ3pYr2lUYy6ar/

!

interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet1
description LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255

Masoud Pourshabanian · ‎12-08-2015

Your switch probaly does not support ssh

Use telnet instead.

Telnet should work now on switch.

limit telnet and ssh access to some computers on both switch and router

access-list 40 permit host 10.10.0.X [for example your computer]

access-list 40 permit host 10.10.0.X

add more if you need

line vty 0 4 [ or 0-15]

access-class 40 in

Test with some different computers to see if access-list works

j_j624001 · ‎12-08-2015

ok As of now; from using my test laptop I'm able to SSh and telnet my router and swtich when im on the 10.10.0.0 network

WOW !!!!!! Thanks

Is there anything else you want me to add; ill try the access-list 111 on the router and Switch Tom; seem that these easy configuration is what i need and also redoing my toplogy lol..

Masoud Pourshabanian · ‎12-08-2015

On switch you do not need to add ACL because it is L2 and it is secure now because it is behind the router.

Add access-list 111 to int fa0/0 of your router because it is connected to outside.

Work with access-list for some days. I will give you more security configuration later.

Masoud

j_j624001 · ‎12-08-2015

ok I got you for all your work you have did for me just one ? before i go

when i set the ACL on int fa0/0 should i set the access-list going out or in; im thinking out cause that the outside connection heading to toward the ISP; if thats correct could i also set a differnet access list for my internal int fa0/1 like access-list 100 IN; just curious on what i can do i was thinking about doing something like this

Access-list 111 permit tcp any any equal 80

Access-list 111 permit tcp any any equal 443

Access-list 111 permit udp any any equal 53

Access-list 111 permit udp any any equal 8080

Access-list 100 permit udp any any equal 53

Access-list 100 permit tcp any any equal 80

Access-list 100 permit tcp any any equal 123

Access-list 100 permit tcp any any equal 143

Access-list 100 permit tcp any any equal 110

For int Fa0/0 on router

no ip address

ip access-list 111 out

int fa0/1

no ip address

ip access-list 100 in

That way i can have different ports on differnet interfaces

Thanks again

Masoud Pourshabanian · ‎12-08-2015

There is more into access-list. Access-list is stateless. It means when you allow one protocol out, you need to allow that protocol in.

For example,if you do the configuration below. your are not allowing 80 IN so you will not have access to http pages.

Access-list 111 permit udp any any equal 53

Access-list 100 permit tcp any any equal 80 (out but no in)

You need to work on access-list a little more to figure it out. Try differenet scenario

Now just use one number for in and out. We use reflexive access-list instead of RACL(you are using RACL now)

Just study a little bit about these.

1- Reflexive access-list (it is stateful just you need to allow one side)

2-port security on switch to bind your devices MAC addresses to switch.

3- DHCP snooping to secure DHCP

Masoud

Masoud Pourshabanian · ‎12-08-2015

You can try this also. As you see, for TCP you see established at the end of the command. It is for TCP only. It means if your internal network requests for webpage, it is allowed, but from outside it is only allowed if only request initiated from inside. Any request initiated from outside is not allowed.

1-HTTP request from inside is allowed by OUT ACL. Return of traffic is allowed by IN access-list and established.

2- HTTP from out to in is not allowed.

Access-list 111 permit tcp any any equal 80

Access-list 111 permit udp any any equal 53 [ UDP is the same on both ACL]

Access-list 100 permit udp any any equal 53

Access-list 100 permit tcp any any equal 80 established

\

int fa0

IP access-group 111 out

IP access-group 110 in

j_j624001 · ‎12-18-2015

Hey Masoud;

Are you there ??

Hows it going ??

Cisco Router 1800/Cisco Switch 2960