cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
670
Views
0
Helpful
6
Replies

Need suggestion

Raghavendra Rai
Level 1
Level 1

Dear all,

Good Day!!

I am having a CISCO1811/K9 router which has 2 routed ports and 8 switch ports.

Now I have a requirement of hosting a web server which should be accessible by Internet.

I am planning to do the below configurations:

I will terminate internet link on FE-0 interface.

Out of eight switch ports i am planning to put first 4 interfaces in Native vlan to connect four computers (Users).

Remaining 4 ports will be in another VLAN where I will put the public servers (as of now only one server).

these servers should be accessible by internal 4 computers as well as from internet (anywhere).

Configuration:

VLAN 1: fastethernet 2-5

VLAN 10: fa 6-9

VLAN 1 will be in 192.168.1.0/24 subnet.

VLAN 10 will be in public IP-Pool of 8 IP addresses ( yet to buy)

Interface Fa 0 will have (WAN-IP) given by service provider.

for inter vlan configuration i am going to do the below:

#int vlan 1

#ip address 192.168.1.1/24

#no shut

#int vlan 10

#ip address (public-ip for example 200.1.1.1/29)

#no shut

# ip routing ( for inter-vlan comunication)

is above is correct? correct me if i am going wrong.

after this I will configure NAT for internal private ip users to get internet connection.

configure a default-route to internet.

Am I good to go with the above configurations?

Is there any other way to achieve the above goal?

Is it possible to put these public servers in DMZ with 1811 router? if yes please help me in configurations.

What other security measures we can take in router for the hits or attacks coming from internet.

any suggestiond or inputs will really help.

Thanks,

Raghavendra

6 Replies 6

Latchum Naidu
VIP Alumni
VIP Alumni

Hi Raghavendra,

What you have mentioned the steps are ok somewhat.
But I would suggest to do NAT for those servers who need to access from internet, so that you can access from your internal network as well as from internet. In this way you will have secure rather than putting in DMZ without a ASA.


If you still want to put those servers directly in internet by assigning public IP's then you need to do very strict ACL's and also refer the below link how they setup DMZ with cisco routers.
http://www.parkansky.com/tutorials/dmz.htm


Hope this will help you.

Please rate the helpfull posts.

Regards,
Naidu.

Hello all,

I created two VLAN's in 1811 router, VLAN 5 (ports 2-5) VLAN 10 (ports 6-9).

interface Vlan10
ip address xx.xx.xx.xx 255.255.255.240
!
interface Vlan5
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly

# IP routing  (for inter VLAN communication)

But still i am not able to acheive inter VLAN routing, Can you  please help?

Thanks,

Raghavendra

Hi Raghavendra,

Make sure you removed the IP address from the physical (on to which you are configured sub interfaces) interface, and turn it on,

Router(config-if)#no ip address


If you plan to let routing updates go through the router from one VLAN to another, it is necessary to turn off split-horizon. Split-horizon technology forbids the update coming from one interface to go out the same interface. Slit-horizon can be turned off using the following command issued in the physical interface:

Router(config-if)#no ip split-horizon


Hope this helps you.

Please rate the helpufll posts.
Regards,
Naidu.

Dude,

I am not configuring router on stick here.

1811 has 8 switch ports, where I have devided these switch ports into 2 vlans.

Tks,

Rghavendra

Hi Rghavendra,

Where the vlans have configured?

Regards,
Naidu.

In the router itself.

!
interface FastEthernet0
ip address xx.xx.xx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 5
!
interface FastEthernet3
switchport access vlan 5
!
interface FastEthernet4
switchport access vlan 5
!
interface FastEthernet5
switchport access vlan 5
!
interface FastEthernet6
switchport access vlan 10
!
interface FastEthernet7
switchport access vlan 10
!
interface FastEthernet8
switchport access vlan 10
!
interface FastEthernet9
switchport access vlan 10
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
ip address xx.xx.xx.xx 255.255.255.240
!
interface Vlan5
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!

Review Cisco Networking for a $25 gift card