07-21-2014 10:42 AM - edited 03-04-2019 11:23 PM
Hello, i have a cisco 892 router. I have 4 Vlans, 1 Vlan its not going to be able to connect to the internet, 2 Vlans are going to share one of the internet connection, and the last Vlan is going to have a own network connection and not be able to access the other Vlans.
This is my setup so far:
router1#show running
Building configuration...
Current configuration : 6170 bytes
!
! Last configuration change at 10:49:36 UTC Mon Jul 21 2014 by admin
! NVRAM config last updated at 11:04:48 UTC Mon Jul 21 2014 by admin
! NVRAM config last updated at 11:04:48 UTC Mon Jul 21 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2144676908
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2144676908
revocation-check none
rsakeypair TP-self-signed-2144676908
!
!
crypto pki certificate chain TP-self-signed-2144676908
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313434 36373639 3038301E 170D3134 30343136 32313436
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343436
37363930 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B233 E0CE3720 2DCC43DA 8927C8D1 B831EA24 F473F177 8C006E87 784CB766
09039302 2A2C9DA9 AF6E32BD E7103257 C5054C02 93910E15 A2523366 2DF09EED
EE416978 391C2827 3024C06F 8FA66E90 B7E2E91F 56DDD321 A211FDCA ED6ED977
A0E6DD17 5E774750 A315FB88 53C3844D CDC2FAE5 C8C31041 7BE85749 574204D4
DCA10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140A4B93 5A3CC9B5 114BC63B A630DB6D BCA4E00F 4F301D06
03551D0E 04160414 0A4B935A 3CC9B511 4BC63BA6 30DB6DBC A4E00F4F 300D0609
2A864886 F70D0101 05050003 8181006A 42ECE16C 28D89ABD 2D4C4071 0DF31C7E
F6810537 EFDEEB30 9F1F640D 53FF3284 AD29A98C 8D25C25A 66A1C9B2 DE8467FA
30B653EB 1FD7B01D 5E59D73C 19135555 58892BB1 057BB1A2 671E2DE4 19C4328E
9272BEF9 29B49C71 3FE93075 A64B2027 DB88CC4B BFE3613B 1CA8B5A3 C884EACB
ECB66066 E915BAE5 9CD681CB 1E43C8
quit
ip cef
!
!
!
!
!
ip dhcp excluded-address 10.1.2.1 10.1.2.4
ip dhcp excluded-address 10.1.3.1 10.1.3.49
ip dhcp excluded-address 10.1.3.101 10.1.3.254
ip dhcp excluded-address 10.1.1.1 10.1.1.99
ip dhcp excluded-address 10.1.1.201 10.1.1.254
ip dhcp excluded-address 10.1.4.151 10.1.4.254
ip dhcp excluded-address 10.1.4.1 10.1.4.99
!
ip dhcp pool PUBLIC_DATA
network 10.1.2.0 255.255.255.0
default-router 10.1.2.1
dns-server 192.168.20.1
!
ip dhcp pool IPTV
network 10.1.3.0 255.255.255.0
default-router 10.1.3.1
dns-server 192.168.10.1
!
ip dhcp pool CCTV
network 10.1.4.0 255.255.255.0
default-router 10.1.4.1
!
ip dhcp pool DATA
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 192.168.10.1
!
ip dhcp pool static1
host 10.1.1.10 255.255.255.0
client-identifier 01a0.2bb8.1f27.54
client-name windowsServer
!
ip dhcp pool static2
host 10.1.1.20 255.255.255.0
hardware-address 0800.2774.0895
client-name LinuxWebServer
!
ip dhcp pool static3
host 10.1.3.10 255.255.255.0
hardware-address d050.9909.d931
client-name IPTVServer
!
ip dhcp pool static4
host 10.1.4.10 255.255.255.0
client-identifier 010c.c47a.00d0.c3
client-name CCTVServer
!
!
!
ip domain name yourdomain.com
ip name-server 192.168.10.1
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892-K9 sn FCZ181691ZS
!
!
!
spanning-tree portfast bpduguard
no spanning-tree vlan 120
no spanning-tree vlan 1000
username admin privilege 15 secret 5 $1$DG34$SZeBJtbAbam0Ev/SsxOJY0
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
switchport access vlan 1000
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
interface FastEthernet8.100
description IPTV
encapsulation dot1Q 100
ip address 10.1.3.1 255.255.255.0
ip access-group 2 out
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface FastEthernet8.110
description DATA
encapsulation dot1Q 110
ip address 10.1.1.1 255.255.255.0
ip access-group 2 out
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface FastEthernet8.120
description PUBLIC_DATA
encapsulation dot1Q 120
ip address 10.1.2.1 255.255.255.0
ip access-group 1 out
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface FastEthernet8.300
description CCTV
encapsulation dot1Q 300
ip address 10.1.4.1 255.255.255.0
ip access-group 3 out
no cdp enable
!
interface GigabitEthernet0
ip address 192.168.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
shutdown
!
interface Vlan1000
ip address 192.168.20.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Vlan1000 overload
ip nat inside source list 2 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip route 10.1.1.0 255.255.255.0 192.168.10.1
ip route 10.1.2.0 255.255.255.0 192.168.20.1
!
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 2 permit any
no cdp run
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
ntp server timekeeper.isi.edu
!
end
where 192.168.10.1 and 192.168.20.1 is my 3G modems.
The configurations works, but the connection is really from the DATA/IPTV Vlan when the other 3G modem is deactivated. I think the traffic tries to go true both gateways.
Does anyone have some tips i could try?
07-21-2014 11:56 AM
According to your configuration internet should work for following vlans via 192.168.10.1
interface FastEthernet8.100
interface FastEthernet8.110
interface FastEthernet8.120
No internet will work via 192.168.20.1 due to your NAT Access-list wrong marking , you are doing nating for same network segment . you need to modify this
no access-list 1 permit 192.168.20.0 0.0.0.255
modify
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.2.0 0.0.0.255
modify
HTH
Sandy
07-21-2014 01:38 PM
ok thanks i will try this tomorrow
07-22-2014 12:20 AM
still got a problem, when only the 192.168.10.1 modem is connected i got full internet access.
The other modem 192.168.20.1 does not have a internet connection at this time. So when both modems are connected i do not have any internet access on vlan 110 and vlan 100. This Vlans should only use the 192.168.10.1 modem as the gateway.
attachment of the network.
07-22-2014 12:58 AM
Hi ,
Your router is sending traffic to both modem , due to equal costing . if you don't want pass the traffic via secondary modem . Kindly change weight age to higher level . After that you should have access for internet from both VLAN
no ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip route 0.0.0.0 0.0.0.0 192.168.20.100
HTH
Sandy
07-22-2014 02:25 AM
i want to pass traffic from vlan 100 and vlan 110 via modem 2 and traffic from vlan 120 via modem 1.
its still not working.
gateway of last resort is 192.168.20.100 by now
Thanks for any help
07-22-2014 02:52 AM
sorry for my blunder , I have done typo mistake instead making weightage as 100 . I have modified IP address .
no ip route 0.0.0.0 0.0.0.0 192.168.20.100
ip route 0.0.0.0 0.0.0.0 192.168.20.1 100
For below requirement we need to implement policy based routing , let me know once you get your secondary internet up and working
i want to pass traffic from vlan 100 and vlan 110 via modem 2 and traffic from vlan 120 via modem 1.
HTH
Sandy
07-22-2014 03:23 AM
ok its working now with both internet connection.
i do not know so much about policy based routing. this is the first time i ever configured a cisco router. So i need some guidance.
Thanks
07-22-2014 03:56 AM
Hi ,
I will help you , share me your latest router config .
HTH
Sandy
kindly rate for helpful post
07-22-2014 07:30 AM
Building configuration...
Current configuration : 7104 bytes
!
! Last configuration change at 13:55:21 UTC Tue Jul 22 2014 by admin
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2144676908
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2144676908
revocation-check none
rsakeypair TP-self-signed-2144676908
!
!
crypto pki certificate chain TP-self-signed-2144676908
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313434 36373639 3038301E 170D3134 30343136 32313436
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343436
37363930 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B233 E0CE3720 2DCC43DA 8927C8D1 B831EA24 F473F177 8C006E87 784CB766
09039302 2A2C9DA9 AF6E32BD E7103257 C5054C02 93910E15 A2523366 2DF09EED
EE416978 391C2827 3024C06F 8FA66E90 B7E2E91F 56DDD321 A211FDCA ED6ED977
A0E6DD17 5E774750 A315FB88 53C3844D CDC2FAE5 C8C31041 7BE85749 574204D4
DCA10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140A4B93 5A3CC9B5 114BC63B A630DB6D BCA4E00F 4F301D06
03551D0E 04160414 0A4B935A 3CC9B511 4BC63BA6 30DB6DBC A4E00F4F 300D0609
2A864886 F70D0101 05050003 8181006A 42ECE16C 28D89ABD 2D4C4071 0DF31C7E
F6810537 EFDEEB30 9F1F640D 53FF3284 AD29A98C 8D25C25A 66A1C9B2 DE8467FA
30B653EB 1FD7B01D 5E59D73C 19135555 58892BB1 057BB1A2 671E2DE4 19C4328E
9272BEF9 29B49C71 3FE93075 A64B2027 DB88CC4B BFE3613B 1CA8B5A3 C884EACB
ECB66066 E915BAE5 9CD681CB 1E43C8
quit
ip cef
!
!
!
!
!
ip dhcp excluded-address 10.1.2.1 10.1.2.4
ip dhcp excluded-address 10.1.3.1 10.1.3.49
ip dhcp excluded-address 10.1.3.101 10.1.3.254
ip dhcp excluded-address 10.1.1.1 10.1.1.99
ip dhcp excluded-address 10.1.1.201 10.1.1.254
ip dhcp excluded-address 10.1.4.151 10.1.4.254
ip dhcp excluded-address 10.1.4.1 10.1.4.99
!
ip dhcp pool PUBLIC_DATA
network 10.1.2.0 255.255.255.0
default-router 10.1.2.1
dns-server 192.168.20.1
!
ip dhcp pool IPTV
network 10.1.3.0 255.255.255.0
default-router 10.1.3.1
dns-server 192.168.6.1
!
ip dhcp pool CCTV
network 10.1.4.0 255.255.255.0
default-router 10.1.4.1
!
ip dhcp pool DATA
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 8.8.4.4
!
ip dhcp pool static1
host 10.1.1.10 255.255.255.0
client-identifier 01a0.2bb8.1f27.54
client-name windowsServer
!
ip dhcp pool static2
host 10.1.1.20 255.255.255.0
hardware-address 0800.2774.0895
client-name LinuxWebServer
!
ip dhcp pool static3
host 10.1.3.10 255.255.255.0
hardware-address d050.9909.d931
client-name IPTVServer
!
ip dhcp pool static4
host 10.1.4.10 255.255.255.0
client-identifier 010c.c47a.00d0.c3
client-name CCTVServer
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892-K9 sn FCZ181691ZS
!
!
!
spanning-tree portfast bpduguard
no spanning-tree vlan 120
no spanning-tree vlan 1000
username admin privilege 15 secret 5 $1$DG34$SZeBJtbAbam0Ev/SsxOJY0
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
switchport access vlan 1000
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
interface FastEthernet8.100
description IPTV
encapsulation dot1Q 100
ip address 10.1.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map EXIT_CREW_IPTV
no cdp enable
!
interface FastEthernet8.110
description DATA
encapsulation dot1Q 110
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map EXIT_CREW_IPTV
no cdp enable
!
interface FastEthernet8.120
description PUBLIC_DATA
encapsulation dot1Q 120
ip address 10.1.2.1 255.255.255.0
ip access-group ISOLATE_PUBLIC in
ip nat inside
ip virtual-reassembly in
ip policy route-map EXIT_PUBLIC
no cdp enable
!
interface FastEthernet8.300
description CCTV
encapsulation dot1Q 300
ip address 10.1.4.1 255.255.255.0
ip access-group 3 out
no cdp enable
!
interface GigabitEthernet0
ip address 192.168.6.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
shutdown
!
interface Vlan1000
ip address 192.168.20.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
ip default-gateway 192.168.6.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NAT_CREW_IPTV interface GigabitEthernet0 overload
ip nat inside source route-map NAT_PUBLIC interface Vlan1000 overload
ip route 0.0.0.0 0.0.0.0 192.168.6.1
ip route 0.0.0.0 0.0.0.0 192.168.20.1 200
!
ip access-list standard DENY_VLAN100
deny 192.168.20.0 0.0.0.255
!
ip access-list extended CREW_IPTV
deny ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.1.3.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.1.3.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.3.0 0.0.0.255 any
ip access-list extended ISOLATE_PUBLIC
deny ip any 10.1.1.0 0.0.0.255
deny ip any 10.1.3.0 0.0.0.255
deny ip any 10.1.4.0 0.0.0.255
permit ip any any
ip access-list extended PUBLIC
deny ip 10.1.2.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.1.2.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.1.2.0 0.0.0.255 any
!
access-list 1 permit 10.1.2.0 0.0.0.255
access-list 2 permit any
access-list 3 permit 10.1.4.0 0.0.0.255
access-list 30 deny 192.168.6.0 0.0.0.255
access-list 30 permit any
access-list 50 deny 192.168.20.0 0.0.0.255
access-list 50 permit any
no cdp run
!
route-map NAT_PUBLIC permit 10
match ip address 50
match interface Vlan1000
!
route-map EXIT_CREW_IPTV permit 10
match ip address CREW_IPTV
set ip next-hop 192.168.6.1
!
route-map NAT_CREW_IPTV permit 10
match ip address 30
match interface GigabitEthernet0
!
route-map EXIT_PUBLIC permit 10
match ip address PUBLIC
set ip next-hop 192.168.20.1
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
!
end
this works, and the web traffic goes via the correct modems, but clients from every vlans are able to connect to both gateways, is it something i could do to block this? thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide