Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1722
Views
25
Helpful
28
Replies

Vlan between switch and router

Goatster
Spotlight
Spotlight

‎06-26-2022 02:12 PM

I'm new to all this.

After a factory reset, I can attach the router to the internet with a static ip and ping 8.8.8.8

 

Installed 16port service module sm-es2-16-p. 

 

My goals are to attach all in home network devices to the 16 port switch with DHCP and access internet via the router(edge) and cable modem. 

DHCP is configured and does assign ip's to devices. 

My issue is, fathoming all this vlan. I'm not up to speed on it. 

So, I'm just asking for help how to setup the connection between the internal switch and the router. 

 

So, when advice is offered, please comment the specific commands I need to issue. 

Any help is muchly appreciated.

Labels:
0 Helpful
28 Replies 28

Elliot Dierksen
VIP
VIP

‎06-27-2022 06:54 AM

Let's back up a bit. I assume there is a firewall on the internet connection (or at least I hope so). Is that true? If so, please describe its connection from an IP perspective. What is the intended purpose of the router and the switch. I think we have gotten a bit ahead of ourselves without clarifying the intended design.

0 Helpful

Goatster
Spotlight
Spotlight
In response to Elliot Dierksen

‎06-27-2022 07:08 AM

No firewall. I would like to set this up as an edge router. Go ahead, laugh. I hear lots of people use the 2911 for edge use at home. If setup correctly. Right now, I am learning as I am going along. 

 

So, the internet runs from modem(static IP), to gig0/0 on the 2911. gig0/1, gig0/2 are not used.  

The 16 port switch has two internal ports, gig1/0 and pardon my memory, I think its gig1/1.

 

In order to access the service-module, IP has to be assigned to gig1/0 of the switch. So I gave it 192.168.1.1. Believe me, I have searched about 20 websites/documents looking for proper configuration just for simple network on the switch to access the internet through the router. 

I obtained this router from my IT guys at work about a month ago. It took me about half a day to figure out how to factory reset it. Another day or two to figure out ip assignment to gig0/0, ip routing and able to ping 8.8.8.8. This was without the switch installed. Last week, I installed the 16port switch, and since then it has been hell trying to configure it just for a simple network. Granted, I do learn something new every day with Cisco routing and switching. My daily work life consists of being a Master Diesel Technician for a large country wide dealership. 

So, like I said in the beginning, I'm new to all this, am willing to learn, but some tasks I will need actual step-step CLI guidance. 

0 Helpful

Elliot Dierksen
VIP
VIP
In response to Goatster

‎06-27-2022 07:34 AM

We still need some more detail. Do you have NAT and firewalling set up on the 2911? If not, that is job 1. Get a wired connection direct to a work station on one of the other gig ports on the 2911. Once that is done, then we can try to move the IP configuration from the physical interface in the router to one that ties in with the switch module.

0 Helpful

Goatster
Spotlight
Spotlight
In response to Elliot Dierksen

‎06-27-2022 07:39 AM

No, NAT and FW is not setup yet. Was under impression to setup basic networking first, apply needed services, then put into production. 

0 Helpful

Elliot Dierksen
VIP
VIP
In response to Goatster

‎06-27-2022 08:56 AM

Not on something facing the internet. Full stop until you have that done. Without NAT, the clients behind the router wouldn't have internet access anyway.

0 Helpful

Goatster
Spotlight
Spotlight
In response to Elliot Dierksen

‎06-27-2022 09:07 AM

Very well. So gig0/0 would be nat outside and gig1/0 would be nat inside, correct?

0 Helpful

Elliot Dierksen
VIP
VIP
In response to Goatster

‎06-27-2022 09:50 AM

Yes. DO NOT do that until you also have some firewalling in place. NAT is NOT sufficient protection for your inside clients.

0 Helpful

Elliot Dierksen
VIP
VIP

‎06-27-2022 09:55 AM

This is SUPER OLD, but it could be a starting point. CBAC is the old firewall mechanism, but it is what I have right at hand. You would be better off with ZBFW (zone based firewall), but this is something.

!
! No configuration change since last restart
!
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
!
hostname Internet-Router
!
logging buffered 4096 debugging
enable secret enable-password
!

clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
no ip domain-lookup
!
no ip bootp server
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name inet-out cuseeme
ip inspect name inet-out ftp
ip inspect name inet-out fragment maximum 256 timeout 1
ip inspect name inet-out h323
ip inspect name inet-out netshow
ip inspect name inet-out rcmd
ip inspect name inet-out realaudio
ip inspect name inet-out smtp
ip inspect name inet-out sqlnet
ip inspect name inet-out streamworks
ip inspect name inet-out tftp
ip inspect name inet-out vdolive
ip inspect name inet-out tcp
ip inspect name inet-out udp
ip audit notify log
ip audit po max-events 100
!
!
!
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
 no cdp enable
!
interface Serial0
 description Frame Relay circuit to the Internet
 bandwidth 1536
 no ip address
 encapsulation frame-relay IETF
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 description PVC LEC Internet
 ip address 192.168.254.6 255.255.255.252
 ip access-group internet-in in
 ip access-group internet-out out
 no ip unreachables
 ip nat outside
 ip inspect inet-out out
 no cdp enable
 frame-relay interface-dlci 999
!
ip nat pool nat-pool 1.1.1.9 1.1.1.14 netmask 255.255.255.248
ip nat inside source route-map nonat pool nat-pool overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
no ip http server
no ip pim bidir-enable
!
!
ip access-list extended internet-in
 deny   ip host 192.168.254.6 any log
 deny   ip 1.1.1.8 0.0.0.7 any log
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 7.255.255.255 any log
 deny   ip 248.0.0.0 7.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 permit icmp any 1.1.1.8 0.0.0.7 echo-reply
 permit icmp any 1.1.1.8 0.0.0.7 time-exceeded
 permit icmp any 1.1.1.8 0.0.0.7 packet-too-big
 permit icmp any 1.1.1.8 0.0.0.7 administratively-prohibited
 permit icmp any host 192.168.254.6 echo
 permit icmp any 1.1.1.8 0.0.0.7 unreachable
 deny   tcp any 1.1.1.8 0.0.0.7 gt 1023
 permit udp host 198.82.162.213 host 192.168.254.6 eq ntp
 permit udp host 130.126.24.53 host 192.168.254.6 eq ntp
 deny   ip any any log
ip access-list extended internet-out
 permit ip 1.1.1.8 0.0.0.7 any
 deny   ip any any log
ip access-list extended nat-list
 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 deny   ip any any log
no cdp run
route-map nonat permit 10
 match ip address nat-list
!
!
line con 0
line aux 0
line vty 0 4
 access-class 113 in
 password 0 line-password
 login
!
no scheduler allocate
ntp clock-period 17179884
ntp server 130.126.24.53
ntp server 198.82.162.213
end
0 Helpful

Goatster
Spotlight
Spotlight

‎06-27-2022 01:20 PM

As I'm researching, I came across auto secure. Is this something I could enable instead? 

0 Helpful

Goatster
Spotlight
Spotlight

‎06-27-2022 04:52 PM

updated router config...

 

Using 5174 out of 262136 bytes
!
! Last configuration change at 23:01:43 UTC Mon Jun 27 2022
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO_ROUTER
!
boot-start-marker
boot system flash flash:c2900-universalk9-mz.SPA.157-3.M8.bin
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$hEsq$prpscmb89KRaHcwLUP4ze0
enable password 7 08205F5D0116091240
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
no process cpu extended history
no process cpu autoprofile hog
!
!
!
!
!
!
no ip source-route
no ip routing
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!


!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name snm
no ip cef
login block-for 50 attempts 10 within 10
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
!
!
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2911/K9 sn
license accept end user agreement
license boot module c2900 technology-package datak9
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
archive
log config
logging enable
vtp domain SNM
vtp mode transparent
username password 7 0112151753040A0A70
!
redundancy
!
!
controller Cellular 0/0
lte sim data-profile 3 attach-profile 1
lte sms archive path
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
vlan 10,50-51,100,200
no cdp run
!
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept connection-timeout 3600
ip tcp intercept watch-timeout 15
ip tcp intercept max-incomplete low 450 high 550
ip tcp intercept drop-mode random
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
shutdown
no cdp enable
no mop enabled
!
interface GigabitEthernet0/0
ip address 72.212 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no ip route-cache
no cdp enable
no mop enabled
!
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
no ip address
shutdown
no cdp enable
!
interface Cellular0/0/0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
no ip route-cache
dialer in-band
dialer string lte
!
interface Cellular0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
no ip route-cache
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
shutdown
no mop enabled
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 72.212.145.129
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
logging trap debugging
logging facility local2
ipv6 ioam timestamp
!
!
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
banner motd ^C ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
exec-timeout 15 0
script dialer lte
login authentication local_auth
no exec
line 0/0/1
exec-timeout 15 0
login authentication local_auth
no exec
line 67
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
password 7 045A1815072E404B5A
login authentication local_auth
transport input telnet ssh
!
scheduler allocate 20000 1000

0 Helpful

Goatster
Spotlight
Spotlight

‎06-27-2022 04:53 PM

updated SWITCH config

 

Using 2572 out of 65536 bytes
!
! Last configuration change at 22:11:24 UTC Sun Jun 26 2022
! NVRAM config last updated at 22:11:27 UTC Sun Jun 26 2022
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO_SWITCH
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool SNMPOOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
!
!
crypto pki trustpoint TP-self-signed-3443242112
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3443242112
revocation-check none
rsakeypair TP-self-signed-3443242112
!
!
crypto pki certificate chain TP-self-signed-3443242112
certificate self-signed 01 nvram:IOS-Self-Sig#3232.cer
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/2
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/3
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/4
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/5
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/6
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/7
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/8
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/9
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/10
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/11
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/12
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/13
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/14
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/15
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/16
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/1
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface Vlan1
ip address 192.168.1.5 255.255.255.0
no ip route-cache
!
ip http server
ip http secure-server
ip sla enable reaction-alerts
!
line con 0
speed 115200
flowcontrol software
line vty 0 4
login
line vty 5 15
login
!
end

0 Helpful

Goatster
Spotlight
Spotlight

‎06-28-2022 02:48 PM

No thoughts?

0 Helpful

Elliot Dierksen
VIP
VIP

‎06-29-2022 06:07 AM

You need to apply the same parameters to G0/17 and G0/18 (access port commands).That is likely why you can't ping between the router and the switch.

Trying not to get carried away, but there are still no ACL's. What you have there would do NAT, but it is NOT SECURE and a REALLY BAD IDEA to do that without firewalling.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Elliot Dierksen

‎06-29-2022 08:57 AM

I have several observations:

- first and most important is that the router is configured with no ip routing. You need to enable routing to be able to forward traffic from the switch.

- you have configured the ip address 192.168.1.1 on 2 different interfaces. I am surprised that the router allowed you to do this. That address needs to be on a single interface and that interface should be the one associated with vlan 1 on the switch.

- the router configured interface vlan 10 with an IP address. But there is not any vlan 10 in the switch.

- the router has no IP address for vlan 1. If the switch ports are in vlan 1 (which the switch config has) then the router needs an IP for vlan 1.

- The router has configuration for enable secret and also for enable password. If enable secret is configured then enable password is ignored. There is no reason to have both. Remove enable password from the config.

- the router is configured with no ip cef. I am not sure why this is and would suggest enabling ip cef.

- For NAT to work the ip nat inside needs to be configured on the interface that has IP 192..168.1.1. And you need to configure an access list to use in enabling NAT. And you need to configure the command that does enable NAT.

Address these observations and let us know the results.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card