cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
961
Views
0
Helpful
5
Replies

Configuring a router for first time

npranger
Level 1
Level 1

Hello,   first attempt to completely configure a router (2911) with CLI.  I am asking the community to review my confguration script.

Topology:  The church will have a single 2911 router.  Router port 0/0 will have 4 subinterfaces, 1 for each vlan.  A trunk port will connect to the router to a 2960 Cisco switch.  Three Cisco 1830I access points will be connected to the switch.

  • Project goals:  1) Reliable connectivity through most the cinder block building.  2) Security of the business information. 4) Low budget project due to lack of funding.

Vlans:  Staff WIFI  on vlan 10   192.168.10.0/24.    Guest WIFI on vlan 30   192.168.30.0/24.   Management on vlan 90 192.168.90.0/24.  Native vlan 100 192.168.100.0/24

Configuration script for a 2911 router.  Please review - give comments.

  Questions:  With this setup.  Did I configure a trunk coming out of the router?  Do I need to name the vlans in the router like I do on a switch?

Configure UMC gigabit ethernet router script

! Basic setup

>enable

# hostname UMCrouter

# enable password UMCrouter#1

#configure terminal

Config# no ip domain-lookup

Config# interface gigabitethernet 0/0

Config-if# cdp enable

Config-if# no ip address

Config-if# duplex auto

Port-tagging

Encapsulation dot1q 10

Set cos 6

Config-if# no shutdown

Config-if# exit

Internet setup

>enable

# show ip interface brief

# configure terminal

Config# Interface gigabitethernet 0/0

Config-if# ip address 12.34.56.2 255.255.255.0

Config-if# no shutdown

Config-if# interface gigabitethernet 0/1

Config-if# ip address 192.168.1.1 255.255.255.0

Config-if# no shutdown

Config-if# C^Z

# show ip route           no default route

 

show ip interface brief

! Create default route in routing table

#configure terminal

Config# ip route 0.0.0.0 0.0.0.0 12.34.56.1

# show route

#ping 8.8.8.8   computer ping internet

! Link inside ip addresses to internet including all vlan addresses

#configure terminal

Config# ip access-list extended internet_ACL

Config-ext-nacl# permit ip 192.168.1.0 0.0.0.255 any

Config-ext-nacl# permit ip 192.168.10.0 0.0.0.255 any

Config-ext-nacl# permit ip 192.168.30.0 0.0.0.255 any

Config-ext-nacl# permit ip 192.168.90.0 0.0.0.255 any

Config-ext-nacl# permit ip 192.168.100.0 0.0.0.255 any

Config-ext-nacl# exit

! Configure NAT

Config# ip nat inside source 1

Config# ip nat inside source list internet_acl interface gigabitethernet 0/1

Config# interface gigabitethernet 0/1

Config-if# ip nat outside

Config-if# interface gigabitethernet 0/0

Config-if# ip nat inside

! at this point inside PC should be able to ping internet

!  create SSH access

>enable

#configure terminal

Config# ip domain-name UMC.local

Config# crypto key generate rsa 

            How many bits in the modulus;   4096

Config# ip ssh version 2

! Hostname has been set prior

! Disable telnet

Config# line vty 0 98

Config# transport input ssh  echo-reply

! Limit remote access from cyberattacks

Config# ip access-list extended outside filter

Config-ext-nacl# Permit icmp any host 12.35.56.2 echo-reply

Config-ext-nacl# permit udp any eq domain host 12.34.56.2

Config-ext-nacl# permit 12.34.56.2 established

Config# C^Z

Config# interface gigabitethernet 0/1

Config-if# ip access-group outside filter inside filter

Config-if# C^Z

#copy running config startup config

! Configuring ROAS interface G0/2

  Enable

Config# interface gigabitethernet 0/2 and subinterfaces

Config-if# no ip address

Config-if# port tagging

Config-if-port-tagging# encapsulation dot1q 10

Config-if-port-tagging# set cos 6

Config-if-port-tagging# exit

Config-if# no shutdown

Config-if# C^Z

#show run interface g0/2

! use ping

#configure terminal

Config# interface gigabitethernet 0/2.10

Config-if# description vlan for work staff wifi

Config-if# encapsulation dot1q 10

Config-if# encapsulation dot1q 100 native

Config-if# ip address 192.168.10.4 255.255.255.0

Config-if# exit

Config# ip dhcp pool vlan10

DHCP-config# network 192.168.10.0 255.255.255.0

DHCP-config# default-router 192.168.10.1

DHCP-config# dns-server 8.8.8.8

DHCP-config# ip dhcp excluded-address 192.168.10.1 192.168.10.20

Config-if# exit

Config# interface gigabitethernet 0/2.30

Config-if# description vlan for guest wifi

Config-if# encapsulation dot1q 30

Config-if# encapsulation dot1q 100 native

Config-if# ip address 192.168.30.4 255.255.255.0

Config-if#ip dhcp pool vlan 30

DHCP-config# network 192.168.30.0 255.255.255.0

DHCP-config# default-router 192.168.30.1

DHCP-config# dns-server 8.8.8.8

DHCP-config# ip dhcp excluded-address 192.168.30.1 192.168.30.20

Config# interface gigabitethernet 0/2.90

 

Config-if# description vlan for management of network

Config-if# encapsulation dot1q 90

Config-if# encapsulation dot1q 100 native

Config-if# ip address 192.168.90.4 255.255.255.0

Config-if# ip dhcp pool vlan90

DHCP-config# network 192.168.90.0 255.255.255.0

DHCP-config# default-router 192.168.90.1

DHCP-config# dns-server 8.8.8.8

DHCP-config# ip dhcp excluded-address 192.168.90.1 192.168.90.20

Config-if# exit

Config# interface gigabitethernet 0/2.100

Config-if# description vlan for native traffic

Config-if# encapsulation dot1q 100

Config-if# encapsulation dot1q 100 native

Config-if# ip address 192.168.100.4 255.255.255.0

Config-if# ip dhcp pool vlan100

DHCP-config# network 192.168.100.0 255.255.255.0

DHCP-config# default-router 192.168.100.1

DHCP-config# dns-server 8.8.8.8

DHCP-config# ip dhcp excluded-address 192.168.100.1 192.168.100.20

DHCP-config# C^Z

Thanks, Phil

 

 

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

You asked a few specific questions and here are my responses:

" Did I configure a trunk coming out of the router" the subinterfaces configured should allow the router to process the trunk connection to the switch.

"Do I need to name the vlans in the router " No you do not need to name the vlans on the router.

I believe that the script as posted is more complicated than it needs to be. Here are some comments:

- multiple times you are in config mode, then you exit config mode, execute some commands, go back into config mode. Why not just use the do show ip interface brief and stay in config mode?

- there is a mismatch between what you describe " Router port 0/0 will have 4 subinterfaces" and the config that puts the subinterfaces on 0/2. 

- you show these commands after entering enable mode

# hostname UMCrouter

# enable password UMCrouter#1

But both of these would be entered in global config mode (after you enter configure terminal)

- under G0/0 you use "Encapsulation dot1q 10" which matches your description but conflicts with what you actually do to put vlan 10 on G0/2.

- under G0/0 you configure no ip address, exit config mode, enter config mode and assign an IP address. Why do all that?

- you configure acl internet_ACL. But when you use it for NAT you change the case of the name

ip nat inside source list internet_acl interface gigabitethernet 0/1

I strongly suggest that for NAT you use a standard acl and not an extended acl which specifies any as the destination. I have seen situations were that causes problems.

- on an interface with a private address you call it nat outside

Config# interface gigabitethernet 0/1

Config-if# ip nat outside

and on interface with public IP you call it nat inside

Config-if# interface gigabitethernet 0/0

Config-if# ip nat inside

- on the vty where did echo-reply come from? "Config# transport input ssh echo-reply"

- your Internet acl is way too restrictive. And you apply it to the wrong interface

Config# interface gigabitethernet 0/1

Config-if# ip access-group outside filter inside filter

- you put this under subinterface 0/2.10 but it should go under subinterface 0/2.100

- on each subinterface you give it an address and then in the associated dhcp pool you specify that the default router is a different address. For example

ip address 192.168.10.4 255.255.255.0

But in the dhcp pool you say that the default router is 192.168.10.1. The default router should be the router interface address.

encapsulation dot1q 100 native

HTH

Rick

Rich,  thank you so much for the time you spent outlining your answer.  I will study the response and work on it.  Very kind of you

Phil

Phil

You are welcome. I Would like to follow up on part of my response to the original post. The various steps you include to check the results of config commands is a nice idea, and as you get closer to actual implementation they may be appropriate. But in these early stages where you are trying to understand how things work I am concerned that trying to check results is a distraction from your primary focus which is on producing a configuration that works. 

HTH

Rick

Thank you for the feedback.

Get Outlook for Android<>

balaji.bandi
Hall of Fame
Hall of Fame

high level that should work if the respected interface connected to switch correctly

i have guided other post what you looking to do. (if you have any issue post how the Router connected to switch and ISP in a small diagram) - post show run (what is the issue you encountering ?)

https://community.cisco.com/t5/routing/router-892fsp-subinterfaces/td-p/4783462

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card