Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1357
Views
0
Helpful
9
Replies

different vlans accessing different ISP

p3tter123
Level 1
Level 1

‎07-21-2014 10:42 AM - edited ‎03-04-2019 11:23 PM

Hello, i have a cisco 892 router. I have 4 Vlans, 1 Vlan its not going to be able to connect to the internet, 2 Vlans are going to share one of the internet connection, and the last Vlan is going to have a own network connection and not be able to access the other Vlans.

This is my setup so far:

router1#show running
Building configuration...

Current configuration : 6170 bytes
!
! Last configuration change at 10:49:36 UTC Mon Jul 21 2014 by admin
! NVRAM config last updated at 11:04:48 UTC Mon Jul 21 2014 by admin
! NVRAM config last updated at 11:04:48 UTC Mon Jul 21 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2144676908
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2144676908
 revocation-check none
 rsakeypair TP-self-signed-2144676908
!
!
crypto pki certificate chain TP-self-signed-2144676908
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313434 36373639 3038301E 170D3134 30343136 32313436
  33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343436
  37363930 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B233 E0CE3720 2DCC43DA 8927C8D1 B831EA24 F473F177 8C006E87 784CB766
  09039302 2A2C9DA9 AF6E32BD E7103257 C5054C02 93910E15 A2523366 2DF09EED
  EE416978 391C2827 3024C06F 8FA66E90 B7E2E91F 56DDD321 A211FDCA ED6ED977
  A0E6DD17 5E774750 A315FB88 53C3844D CDC2FAE5 C8C31041 7BE85749 574204D4
  DCA10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 140A4B93 5A3CC9B5 114BC63B A630DB6D BCA4E00F 4F301D06
  03551D0E 04160414 0A4B935A 3CC9B511 4BC63BA6 30DB6DBC A4E00F4F 300D0609
  2A864886 F70D0101 05050003 8181006A 42ECE16C 28D89ABD 2D4C4071 0DF31C7E
  F6810537 EFDEEB30 9F1F640D 53FF3284 AD29A98C 8D25C25A 66A1C9B2 DE8467FA
  30B653EB 1FD7B01D 5E59D73C 19135555 58892BB1 057BB1A2 671E2DE4 19C4328E
  9272BEF9 29B49C71 3FE93075 A64B2027 DB88CC4B BFE3613B 1CA8B5A3 C884EACB
  ECB66066 E915BAE5 9CD681CB 1E43C8
        quit
ip cef
!
!
!
!


!
ip dhcp excluded-address 10.1.2.1 10.1.2.4
ip dhcp excluded-address 10.1.3.1 10.1.3.49
ip dhcp excluded-address 10.1.3.101 10.1.3.254
ip dhcp excluded-address 10.1.1.1 10.1.1.99
ip dhcp excluded-address 10.1.1.201 10.1.1.254
ip dhcp excluded-address 10.1.4.151 10.1.4.254
ip dhcp excluded-address 10.1.4.1 10.1.4.99
!
ip dhcp pool PUBLIC_DATA
 network 10.1.2.0 255.255.255.0
 default-router 10.1.2.1
 dns-server 192.168.20.1
!
ip dhcp pool IPTV
 network 10.1.3.0 255.255.255.0
 default-router 10.1.3.1
 dns-server 192.168.10.1
!
ip dhcp pool CCTV
 network 10.1.4.0 255.255.255.0
 default-router 10.1.4.1
!
ip dhcp pool DATA
 network 10.1.1.0 255.255.255.0
 default-router 10.1.1.1
 dns-server 192.168.10.1
!
ip dhcp pool static1
 host 10.1.1.10 255.255.255.0
 client-identifier 01a0.2bb8.1f27.54
 client-name windowsServer
!
ip dhcp pool static2
 host 10.1.1.20 255.255.255.0
 hardware-address 0800.2774.0895
 client-name LinuxWebServer
!
ip dhcp pool static3
 host 10.1.3.10 255.255.255.0
 hardware-address d050.9909.d931
 client-name IPTVServer
!
ip dhcp pool static4
 host 10.1.4.10 255.255.255.0
 client-identifier 010c.c47a.00d0.c3
 client-name CCTVServer
!
!
!
ip domain name yourdomain.com
ip name-server 192.168.10.1
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892-K9 sn FCZ181691ZS
!
!
!
spanning-tree portfast bpduguard
no spanning-tree vlan 120
no spanning-tree vlan 1000
username admin privilege 15 secret 5 $1$DG34$SZeBJtbAbam0Ev/SsxOJY0
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 switchport access vlan 1000
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet8.100
 description IPTV
 encapsulation dot1Q 100
 ip address 10.1.3.1 255.255.255.0
 ip access-group 2 out
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface FastEthernet8.110
 description DATA
 encapsulation dot1Q 110
 ip address 10.1.1.1 255.255.255.0
 ip access-group 2 out
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface FastEthernet8.120
 description PUBLIC_DATA
 encapsulation dot1Q 120
 ip address 10.1.2.1 255.255.255.0
 ip access-group 1 out
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface FastEthernet8.300
 description CCTV
 encapsulation dot1Q 300
 ip address 10.1.4.1 255.255.255.0
 ip access-group 3 out
 no cdp enable
!
interface GigabitEthernet0
 ip address 192.168.10.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 shutdown
!
interface Vlan1000
 ip address 192.168.20.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Vlan1000 overload
ip nat inside source list 2 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip route 10.1.1.0 255.255.255.0 192.168.10.1
ip route 10.1.2.0 255.255.255.0 192.168.20.1
!
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 2 permit any
no cdp run
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
ntp server timekeeper.isi.edu
!
end

 

where 192.168.10.1 and 192.168.20.1 is my 3G modems.
The configurations works, but the connection is really from the DATA/IPTV Vlan when the other 3G modem is deactivated. I think the traffic tries to go true both gateways. 

Does anyone have some tips i could try?

 

Labels:
0 Helpful
9 Replies 9

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎07-21-2014 11:56 AM

According to your configuration internet should work for following vlans via 192.168.10.1

interface FastEthernet8.100

interface FastEthernet8.110

interface FastEthernet8.120

 

No internet will work via 192.168.20.1 due to your NAT Access-list wrong marking , you are doing nating for same network segment . you need to modify this

no access-list 1 permit 192.168.20.0 0.0.0.255

modify 

access-list 1 permit 10.1.3.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 10.1.2.0 0.0.0.255

 

modify 

 

 

HTH

Sandy

0 Helpful

p3tter123
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-21-2014 01:38 PM

ok thanks i will try this tomorrow

0 Helpful

p3tter123
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-22-2014 12:20 AM

still got a problem, when only the 192.168.10.1 modem is connected i got full internet access.
The other modem 192.168.20.1 does not have a internet connection at this time. So when both modems are connected i do not have any internet access on vlan 110 and vlan 100. This Vlans should only use the 192.168.10.1 modem as the gateway.

attachment of the network.

Preview file
83 KB
0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to p3tter123

‎07-22-2014 12:58 AM

Hi ,

 Your router is sending traffic to both modem , due to equal costing . if you don't want pass the traffic via secondary modem . Kindly change weight age to higher level . After that you should have access for internet from both VLAN 

 no ip route 0.0.0.0 0.0.0.0 192.168.20.1

 ip route 0.0.0.0 0.0.0.0 192.168.20.100

 

HTH

Sandy

0 Helpful

p3tter123
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-22-2014 02:25 AM

i want to pass traffic from vlan 100 and vlan 110 via modem 2 and traffic from vlan 120 via modem 1.

its still not working.

gateway of last resort is 192.168.20.100 by now

 

Thanks for any help

0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to p3tter123

‎07-22-2014 02:52 AM

sorry for my blunder , I have done typo mistake instead making weightage as 100 . I have modified IP address .

 no ip route 0.0.0.0 0.0.0.0 192.168.20.100

 ip route 0.0.0.0 0.0.0.0 192.168.20.1 100

For below requirement we need to implement policy based routing , let me know once you get your secondary internet up and working

i want to pass traffic from vlan 100 and vlan 110 via modem 2 and traffic from vlan 120 via modem 1.

 

HTH

Sandy

0 Helpful

p3tter123
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-22-2014 03:23 AM

ok its working now with both internet connection.

i do not know so much about policy based routing. this is the first time i ever configured a cisco router. So i need some guidance.

Thanks

0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to p3tter123

‎07-22-2014 03:56 AM

Hi ,

       I will help you , share me your latest router config . 

 

HTH

Sandy

kindly rate for helpful post 

0 Helpful

p3tter123
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-22-2014 07:30 AM

Building configuration...

Current configuration : 7104 bytes
!
! Last configuration change at 13:55:21 UTC Tue Jul 22 2014 by admin
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2144676908
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2144676908
 revocation-check none
 rsakeypair TP-self-signed-2144676908
!
!
crypto pki certificate chain TP-self-signed-2144676908
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313434 36373639 3038301E 170D3134 30343136 32313436
  33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343436
  37363930 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B233 E0CE3720 2DCC43DA 8927C8D1 B831EA24 F473F177 8C006E87 784CB766
  09039302 2A2C9DA9 AF6E32BD E7103257 C5054C02 93910E15 A2523366 2DF09EED
  EE416978 391C2827 3024C06F 8FA66E90 B7E2E91F 56DDD321 A211FDCA ED6ED977
  A0E6DD17 5E774750 A315FB88 53C3844D CDC2FAE5 C8C31041 7BE85749 574204D4
  DCA10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 140A4B93 5A3CC9B5 114BC63B A630DB6D BCA4E00F 4F301D06
  03551D0E 04160414 0A4B935A 3CC9B511 4BC63BA6 30DB6DBC A4E00F4F 300D0609
  2A864886 F70D0101 05050003 8181006A 42ECE16C 28D89ABD 2D4C4071 0DF31C7E
  F6810537 EFDEEB30 9F1F640D 53FF3284 AD29A98C 8D25C25A 66A1C9B2 DE8467FA
  30B653EB 1FD7B01D 5E59D73C 19135555 58892BB1 057BB1A2 671E2DE4 19C4328E
  9272BEF9 29B49C71 3FE93075 A64B2027 DB88CC4B BFE3613B 1CA8B5A3 C884EACB
  ECB66066 E915BAE5 9CD681CB 1E43C8
        quit
ip cef
!
!
!
!


!
ip dhcp excluded-address 10.1.2.1 10.1.2.4
ip dhcp excluded-address 10.1.3.1 10.1.3.49
ip dhcp excluded-address 10.1.3.101 10.1.3.254
ip dhcp excluded-address 10.1.1.1 10.1.1.99
ip dhcp excluded-address 10.1.1.201 10.1.1.254
ip dhcp excluded-address 10.1.4.151 10.1.4.254
ip dhcp excluded-address 10.1.4.1 10.1.4.99
!
ip dhcp pool PUBLIC_DATA
 network 10.1.2.0 255.255.255.0
 default-router 10.1.2.1
 dns-server 192.168.20.1
!
ip dhcp pool IPTV
 network 10.1.3.0 255.255.255.0
 default-router 10.1.3.1
 dns-server 192.168.6.1
!
ip dhcp pool CCTV
 network 10.1.4.0 255.255.255.0
 default-router 10.1.4.1
!
ip dhcp pool DATA
 network 10.1.1.0 255.255.255.0
 default-router 10.1.1.1
 dns-server 8.8.4.4
!
ip dhcp pool static1
 host 10.1.1.10 255.255.255.0
 client-identifier 01a0.2bb8.1f27.54
 client-name windowsServer
!
ip dhcp pool static2
 host 10.1.1.20 255.255.255.0
 hardware-address 0800.2774.0895
 client-name LinuxWebServer
!
ip dhcp pool static3
 host 10.1.3.10 255.255.255.0
 hardware-address d050.9909.d931
 client-name IPTVServer
!
ip dhcp pool static4
 host 10.1.4.10 255.255.255.0
 client-identifier 010c.c47a.00d0.c3
 client-name CCTVServer
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892-K9 sn FCZ181691ZS
!
!
!
spanning-tree portfast bpduguard
no spanning-tree vlan 120
no spanning-tree vlan 1000
username admin privilege 15 secret 5 $1$DG34$SZeBJtbAbam0Ev/SsxOJY0
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 switchport access vlan 1000
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet8.100
 description IPTV
 encapsulation dot1Q 100
 ip address 10.1.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map EXIT_CREW_IPTV
 no cdp enable
!
interface FastEthernet8.110
 description DATA
 encapsulation dot1Q 110
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map EXIT_CREW_IPTV
 no cdp enable
!
interface FastEthernet8.120
 description PUBLIC_DATA
 encapsulation dot1Q 120
 ip address 10.1.2.1 255.255.255.0
 ip access-group ISOLATE_PUBLIC in
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map EXIT_PUBLIC
 no cdp enable
!
interface FastEthernet8.300
 description CCTV
 encapsulation dot1Q 300
 ip address 10.1.4.1 255.255.255.0
 ip access-group 3 out
 no cdp enable
!
interface GigabitEthernet0
 ip address 192.168.6.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 shutdown
!
interface Vlan1000
 ip address 192.168.20.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
ip default-gateway 192.168.6.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NAT_CREW_IPTV interface GigabitEthernet0 overload
ip nat inside source route-map NAT_PUBLIC interface Vlan1000 overload
ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 0.0.0.0 0.0.0.0 192.168.20.1 200
!
ip access-list standard DENY_VLAN100
 deny   192.168.20.0 0.0.0.255
!
ip access-list extended CREW_IPTV
 deny   ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 10.1.3.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 10.1.3.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 10.1.1.0 0.0.0.255 any
 permit ip 10.1.3.0 0.0.0.255 any
ip access-list extended ISOLATE_PUBLIC
 deny   ip any 10.1.1.0 0.0.0.255
 deny   ip any 10.1.3.0 0.0.0.255
 deny   ip any 10.1.4.0 0.0.0.255
 permit ip any any
ip access-list extended PUBLIC
 deny   ip 10.1.2.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 10.1.2.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 10.1.2.0 0.0.0.255 any
!
access-list 1 permit 10.1.2.0 0.0.0.255
access-list 2 permit any
access-list 3 permit 10.1.4.0 0.0.0.255
access-list 30 deny   192.168.6.0 0.0.0.255
access-list 30 permit any
access-list 50 deny   192.168.20.0 0.0.0.255
access-list 50 permit any
no cdp run
!
route-map NAT_PUBLIC permit 10
 match ip address 50
 match interface Vlan1000
!
route-map EXIT_CREW_IPTV permit 10
 match ip address CREW_IPTV
 set ip next-hop 192.168.6.1
!
route-map NAT_CREW_IPTV permit 10
 match ip address 30
 match interface GigabitEthernet0
!
route-map EXIT_PUBLIC permit 10
 match ip address PUBLIC
 set ip next-hop 192.168.20.1
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
!
end

 

 

this works, and the web traffic goes via the correct modems, but clients from every vlans are able to connect to both gateways, is it something i could do to block this? thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card