User Access Verification

Password:
Algoma-Router-1>en
Password:
Algoma-Router-1#sh run
Building configuration...

Current configuration : 3636 bytes
!
! Last configuration change at 17:01:26 EST Mon Nov 16 2015
! NVRAM config last updated at 17:03:44 EST Mon Nov 16 2015
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec
service password-encryption
service sequence-numbers
no service password-recovery
!

!
boot-start-marker
boot-end-marker
!
logging buffered 64000
logging console informational

no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
!
no ipv6 cef
no ip source-route
ip options drop
ip cef
!
!
!
!
no ip bootp server
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX171280TT
!
!
archive
log config
logging enable
hidekeys
!
!
!
!
!
!
interface GigabitEthernet0/0
description Charter
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description Barracuda and Office
no ip dhcp client request tftp-server-address
ip address 192.168.1.1 255.255.255.0
ip access-group incoming in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
description FTPS - Frame-Relay Lite connection to FTPS Data Centers - DLCI 293
bandwidth 56
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
shutdown
priority-group 4
service-module t1 timeslots 1
frame-relay lmi-type cisco
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 172.23.1.0 255.255.255.0 192.168.1.2
ip route 172.24.53.0 255.255.255.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended OUTSIDE-IN
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 100.64.0.0 0.63.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
ip access-list extended OUTSIDE-out
permit ip any any
ip access-list extended incoming
permit udp any any
permit icmp any any
permit tcp any any
deny ip any any log
!
no logging trap
access-list 101 permit ip 172.23.1.0 0.0.0.255 any
access-list 101 permit ip 172.24.53.0 0.0.0.255 any
!
no cdp run

!
snmp-server community Fire RO
snmp-server community Fall RW
!
control-plane
!

Okay, it should be working.

If you can ping 192.168.1.1 then the 1900 knows how to route back to your subnet and is allowing ping and the NAT is setup correctly.

Not sure what is happening.

From the working subnet ie. 172.24.53.x can they ping internet IPs ?

If so you shoud be able to from your laptop as well.

What IP are you trying to ping ?

Jon

it is wierd - i can browse but not ping from both the new and old subnets - also i can tracert across them also

So you can access the internet but not ping from either subnet ?

Could you ping before ?

There is nothing I can see that is blocking ping unless it is blocked further along the line.

Jon

used to be able to ping from the 172.24.53.x subnet - no big deal at this point...

Okay so can you access web pages from both vlans ?

If so we can finish off with the L3 port and the management vlan if you still have time for it.

If not no problem.

I can't see anything that would block ping.

Jon

yes to both questions - i am here for a meeting in a few hours so have lots of time - sorry for keeping you up late

Okay we will reuse vlan 2 for the management vlan.

So first thing to do is on the existing 3750 move the IP from the vlan 2 interface to the port connecting to the 1900 ie.

int vlan 2
no ip address

int gi<x/y>  <-- this connects to router
no switchport
ip address 192.168.1.2 255.255.255.0

then go onto the router and do -

"clear ip arp"

go back to the existing 3750 and make sure you can ping 192.168.1.1.

If you can good, if not on the 1900 shut the gi0/1 interface and then bring it back up.

Then try ping again.

Once you can ping the router from the switch check you have internet access from existing and new subnets and then let me know.

Then we can do the management vlan.

For the management vlan you will need a new IP subnet, can you let me know what it will be.

Jon

I am assuming you have console access to these devices ?

If not don't do what I just explained, let me know how you are connecting.

Jon

got - it all works

I have console to both

Great.

So last bit is to create management vlan.

You have vlan 2 setup on your existing switch so choose a new IP subnet and assign an IP to the vlan 2 interface ie.

int vlan 2
ip address x.x.x.1 <subnet mask>

then on your new switch you need to create vlan and the L3 interface for that vlan and add a default gateway.

switch(config)# vlan 2
switch(config-vlan)# name <probably "mgmt" or whatever makes sense>

int vlan 2
ip address x.x.x.2 <subnet mask>
no shut

ip default-gateway <vlan 2 x.x.x.1 IP on your existing 3750>

you should then be able to ping between switches and also your new switch should be able to ping the vlan 53 and 56 IP addresses on your existing 3750.

If you want to be able to ping or reach these IPs from the router you need to add a route for the new subnet on your router ie.

"ip route <subnet> <subnet mask> 192.168.1.2"

Try all that and let me know how it goes and then I'l just do a quick run through of exactly what we have setup and how you can add more subnets later etc.

Jon

yep - even have cdp nei

Right well that's it then.

So your existing 3750 is where all the routing for any internal vlans/IP subnets you create is done.

Your new 3750 is simply a L2 switch ie. it does no routing for client vlans and the vlan 2 interface is purely so you can log onto it and configure it.

Any traffic for remote subnets is routed by the 3750 to the 1900 router.

So if you wanted to add another subnet you -

1) create the vlan on both 3750s as you did with vlan 56.

2) create a L3 vlan interface (SVI) for the new vlan on your existing 3750 and create the DHCP pool

3) on the 1900 add a route for the new IP subnet pointing to 192.168.1.2 and add the subnet to acl 101 for NAT.

Obviously you can use another of your 3750s and connect with a trunk again to your existing 3750 ie. the one doing the routing.

You should only connect the new 3750s to the existing 3750 ie. don't connect them to each other.

The management vlan part was probably not entirely necessary for such a small network but it is good practice so I thought I would add it.

Does it all make sense and do you have any other questions ?

Jon