VLAN Routing and switching

francisgamo · ‎05-16-2012

Hello CISCO experts,

Im planning for a network upgrade.

current situation:

-------------------

cisco 1841 -----------> 3COM none managable switch -------> users, servers, printers

-------------------

77.110.87.112/28 - is assigned to selected users and configured manually.(note: they are public IP which our ISP assigned)

192.168.1.0/24 - is assigned to users that are not allowed to use internet services and configured manually.

my proposal:

I have CISCO 1841 Router connected to the internet and CISCO SGE2000-G5 24ports layer 3 switch that is connected to cisco 1841 router.

i want to create vlan in layer 3 switch.

my vlans are: VLAN 10 : 77.110.87.112/28 => this netwrork is provided by ISP(public ip) which clients are currently using.

: VLAN 20 : 192.168.1.0/24 => this network is for all users that are not allowed to access internet

: VLAN 30 : 192.168.2.0/24 => i will create this vlan for the SERVERs

: VLAN 40 : 192.168.3.0/24 => i will create this vlan for printers

i want all vlans would still ping to each other and file/printer sharing is available.

kindly check if my network upgrade plan is correct and help me how am i going to configure those vlan in my layer 3 switch and to connect to the internet.

thanks in advance

Francis

Joseph W. Doherty · ‎05-16-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

How does the 1841 connect to the Internet, both logical (e.g. /30 p2p?) and physical (Ethernet, serial)?

Where exactly are the 77.110.87.112/28 and 192.168.1.0/24 hosted and their gateways now?

How many internal hosts?

All 192.168.0.0/16 hosts are not to be able to interact with the Internet?

francisgamo · ‎05-16-2012

thank you very much for the reply Sir Joseph.

by the way 1841 router is connected trough 3G modem to ISP using P2P encapsulation.

77.110.87.112/28 network => is hosted in 1841 cisco router which is connected to 3COM unmanagable switch.

192.168.1.0/24 - is assigned to clients mannually configured. it means this is hosted only by switches.

if this clients uses the ip address of the above users the conflict in IP is appearing and the network gets down.

thats why i want to subnet the network ang implement a good system. so that if the users in /24 network uses the ip's of /28. there's no harm to the network.

thanks in advance

Francis

Joseph W. Doherty · ‎05-17-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If I correctly understand what you have now, and want you want to do, it might be accomplished by defining just two VLANs on your L3 switch. One VLAN will be for your 77.110.87.112/28, the other for your 192.168.1.0/24. (You could have more 192.168.x.0 subnets but unless you have more than several hundred hosts or also plan to support some special security between these subnets, you really don't need more.)

The 77.110.87.112/28 will require a new IP for the L3 switch and if you want hosts on these subnets to be able to reach 192.168.x.0/24 you'll also need static route(s) on the 1841. (I assume it already has a static route for default point toward the Internet.)

The 192.168.x.0/24 subnet, if its interface is defined as the host gateway, should, by default, be able to route to 77.110.87.112/28 but not the Internet.

francisgamo · ‎05-17-2012

thanks for the reply SIr,

exactly what you're thinking would do.

if your topology could accomplish my goal then let it be. but i want 77.110.87.112/28 will connect to the internet and 192.168.1.0/24 wont.

Q: do i need to create an access list in 1841 to permit /28 network for WAN and deny /24 network?

if so. what are the proper statement that i would type.

thanks in advance

francis

Joseph W. Doherty · ‎05-20-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Q: do i need to create an access list in 1841 to permit /28 network for WAN and deny /24 network?

That depends on how you routing is enabled and which devices act as gateways.

If the 1841 is the gateway for you /28 and the L3 switch the gateway for the /24(s), and if dynamic routing not enabled between them, the /24(s) won't know about the Internet. The /28 won't either which is why I wrote it will need a static route back to the /24(s).

Of course, if the gateways resides on the same L3 devices are the two devices use a dynamic routing update that that advertises the default, you'll want an ACL.

chan_tronics · ‎05-21-2012

Hello Francis

Is Cisco 1841 router's Interface is configured with the subnet 77.110.87.112/28 ?

Can you post your router's config to visualise the exact scenario?

francisgamo · ‎05-21-2012

Hello Sir, Joseph and Chandrakant,

Here's the router Configuration in packet tracer. i dont know what am doing , just be patience with me coz im just a beginner.

Current configuration : 643 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 10.1.1.2 255.255.255.252

!

router rip

version 2

network 10.0.0.0

network 77.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.1

!

line con 0

line vty 0 4

login

!

end

And here's my layer 3 switch configuration.

Current configuration : 2322 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

ip dhcp excluded-address 77.110.87.113 77.110.87.114

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool VLAN10

network 77.110.87.112 255.255.255.240

default-router 77.110.87.113

dns-server 213.165.32.134

ip dhcp pool VLAN1

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 192.168.1.1

ip routing

!

spanning-tree mode rapid-pvst

!

interface FastEthernet0/1

description CONNECTION TO ROUTER 1841

switchport mode trunk

!

interface FastEthernet0/2 - assigned to vlan 1

switchport mode access

!

interface FastEthernet0/3 - assigned to vlan 10

switchport access vlan 10

ip helper-address 192.168.1.2

switchport mode access

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

!

interface Vlan10

ip address 77.110.87.113 255.255.255.240

ip helper-address 192.168.1.2

!

router rip

version 2

network 77.0.0.0

network 192.168.1.0

!

ip classless

ip route 192.168.1.0 255.255.255.0 192.168.1.1

!

line con 0

line vty 0 4

login

!

end

I want VLAN 10 to connect to the internet and vlan1 locally.

but both VLANs should share files and printers.

thanks in advance

francis

chan_tronics · ‎05-22-2012

Hello Francis

Set the default router as 192.168.1.2 in IP dhcp vlan1 and remove DNS entry.

ip dhcp pool VLAN1

network 192.168.1.0 255.255.255.0

default-router 192.168.1.2

Remove "ip route 192.168.1.0 255.255.255.0 192.168.1.1"

Test and let me know the status.

Cheers

Chandrakant

francisgamo · ‎05-22-2012

Thanks a lot Sir Chandrakant,

I did what you've said but when i ping 192.168.1.1 which is the router, from vlan 10(77.110.87.114), there's no reply.

but when i ping 192.168.1.2 and the rest of the clients in vlan 1 from VLAN10 it is replying.

what else do i need to add to my layer 3 switch so that my vlan 10 will reach the WAN.

thanks in advance,

Francis

chan_tronics · ‎05-22-2012

Hello Francis

Ammend the config of layer 3 switch as highlighted below and let me know the status.

interface FastEthernet0/1

description CONNECTION TO ROUTER 1841

switchport mode access

ip route 0.0.0.0 0.0.0.0 192.168.1.1

francisgamo · ‎05-22-2012

Thanks Sir,

Here's my new configuration, but no luck.

Current configuration : 2266 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

ip dhcp excluded-address 77.110.87.113 77.110.87.114

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool VLAN1

network 192.168.1.0 255.255.255.0

default-router 192.168.1.2

ip dhcp pool VLAN10

network 77.110.87.112 255.255.255.240

default-router 77.110.87.113

dns-server 4.2.2.2

ip routing

!

spanning-tree mode rapid-pvst

!

interface FastEthernet0/1

description CONNECTION TO ROUTER 1841

switchport trunk encapsulation dot1q

switchport mode access

!

interface FastEthernet0/2

switchport mode access

!

interface FastEthernet0/3

switchport access vlan 10

switchport mode access

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

!

interface Vlan10

ip address 77.110.87.113 255.255.255.240

ip helper-address 192.168.1.1

!

router rip ---------------------------------------------------------------> is there a problem if i use rip in my layer 3 switch?

version 2

network 77.0.0.0

network 192.168.1.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

end

thanks in advance

chan_tronics · ‎05-23-2012

Hello Francis

Remove the command "switchport trunk encapsulation dot1q" and test.

interface FastEthernet0/1

description CONNECTION TO ROUTER 1841

no switchport trunk encapsulation dot1q

switchport mode access

RIP will not be a problem as Static routes will preferred over RIP routes.

Cheers