02-23-2011 09:10 PM - edited 03-04-2019 11:32 AM
Dear all,
Good Day!!
I am having a CISCO1811/K9 router which has 2 routed ports and 8 switch ports.
Now I have a requirement of hosting a web server which should be accessible by Internet.
I am planning to do the below configurations:
I will terminate internet link on FE-0 interface.
Out of eight switch ports i am planning to put first 4 interfaces in Native vlan to connect four computers (Users).
Remaining 4 ports will be in another VLAN where I will put the public servers (as of now only one server).
these servers should be accessible by internal 4 computers as well as from internet (anywhere).
Configuration:
VLAN 1: fastethernet 2-5
VLAN 10: fa 6-9
VLAN 1 will be in 192.168.1.0/24 subnet.
VLAN 10 will be in public IP-Pool of 8 IP addresses ( yet to buy)
Interface Fa 0 will have (WAN-IP) given by service provider.
for inter vlan configuration i am going to do the below:
#int vlan 1
#ip address 192.168.1.1/24
#no shut
#int vlan 10
#ip address (public-ip for example 200.1.1.1/29)
#no shut
# ip routing ( for inter-vlan comunication)
is above is correct? correct me if i am going wrong.
after this I will configure NAT for internal private ip users to get internet connection.
configure a default-route to internet.
Am I good to go with the above configurations?
Is there any other way to achieve the above goal?
Is it possible to put these public servers in DMZ with 1811 router? if yes please help me in configurations.
What other security measures we can take in router for the hits or attacks coming from internet.
any suggestiond or inputs will really help.
Thanks,
Raghavendra
02-24-2011 02:15 AM
Hi Raghavendra,
What you have mentioned the steps are ok somewhat.
But I would suggest to do NAT for those servers who need to access from internet, so that you can access from your internal network as well as from internet. In this way you will have secure rather than putting in DMZ without a ASA.
If you still want to put those servers directly in internet by assigning public IP's then you need to do very strict ACL's and also refer the below link how they setup DMZ with cisco routers.
http://www.parkansky.com/tutorials/dmz.htm
Hope this will help you.
Please rate the helpfull posts.
Regards,
Naidu.
03-02-2011 09:15 PM
Hello all,
I created two VLAN's in 1811 router, VLAN 5 (ports 2-5) VLAN 10 (ports 6-9).
interface Vlan10
ip address xx.xx.xx.xx 255.255.255.240
!
interface Vlan5
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
# IP routing (for inter VLAN communication)
But still i am not able to acheive inter VLAN routing, Can you please help?
Thanks,
Raghavendra
03-03-2011 12:04 AM
Hi Raghavendra,
Make sure you removed the IP address from the physical (on to which you are configured sub interfaces) interface, and turn it on,
Router(config-if)#no ip address
If you plan to let routing updates go through the router from one VLAN to another, it is necessary to turn off split-horizon. Split-horizon technology forbids the update coming from one interface to go out the same interface. Slit-horizon can be turned off using the following command issued in the physical interface:
Router(config-if)#no ip split-horizon
Hope this helps you.
Please rate the helpufll posts.
Regards,
Naidu.
03-03-2011 01:18 AM
Dude,
I am not configuring router on stick here.
1811 has 8 switch ports, where I have devided these switch ports into 2 vlans.
Tks,
Rghavendra
03-03-2011 01:26 AM
Hi Rghavendra,
Where the vlans have configured?
Regards,
Naidu.
03-03-2011 01:41 AM
In the router itself.
!
interface FastEthernet0
ip address xx.xx.xx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 5
!
interface FastEthernet3
switchport access vlan 5
!
interface FastEthernet4
switchport access vlan 5
!
interface FastEthernet5
switchport access vlan 5
!
interface FastEthernet6
switchport access vlan 10
!
interface FastEthernet7
switchport access vlan 10
!
interface FastEthernet8
switchport access vlan 10
!
interface FastEthernet9
switchport access vlan 10
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
ip address xx.xx.xx.xx 255.255.255.240
!
interface Vlan5
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide