Hey Thomas, I hope you had a nice weekend! I was traveling so couldn't reply earlier. Using NAT to fix the single host login problem is very logical. Your config looks fine. How has it been so far?

- Vaibhav

it's been great so far. i'm glad i finally got it taken care of. i really appreciate all the help though. i don't know why it didn't like the 192.168.1 net. how was your weekend?

Good to know that all's well. Weekend was good. I think there are some 192.168.1.x devices on any of the sides or some entires cached somewhere. In case you have the time and want to troubleshoot it, the best way would be to isloate the router and then add a device/client at a time.

Have a good one.

-Vaibhav

i think i'll stick with the 172.16 net. would you mind helping me with one more thing before we finish up? i would like for the machines that i have here in my room to be on net 1 and other machines that i have cables running to outside this run to be on net 2. i only want net 1 to access the internet

By net 1 and 2 do you mean - 172.16.1.0/24 and 172.16.2.0/24 respectively? Well, you have a nat pool for 172.16.1.0/24 and if I am not mistaken even the DHCP is assigning IPs in the 172.16.1.0 network. If that's the case, any host on 172.16.2.0/24 should not be able to get on to the internet. However, if the configuration is different and if the hosts from the .2 network are able to get on to the internet, we can put an access list to block internet access for anything from the .2 network. Also let me know if the 172.16.2.0 network devices need to access the Cisco 2600 router for anything at all?

-Vaibhav

yeah you have it right. sorry i guess i should have clarified a little more. 2 would need access to 1 and vice versa. changing dhcp assignment to net 2 wouldn't be hard. is running static ips on the other nets the only way to dhcp more than one net? if so, how do i set up statics for net 1? there won't be that many on 1. we have 7 devices in this room for now, so not too bad.

Thomas,

Here's what you can do:

1. Create another VLAN on the 2950 switch for 172.16.2.0/24. By default, every port will be in VLAN1 which will have internet access:

VLAN1 (Default) - For 172.16.1.0/24 with internet access.

VLAN2 - For 172.16.2.0/24 without internet access.

Configuration on the switch

---------------------------

By default, all the ports on the switch are in VLAN 1. So, every device plugged into the switch will get an IP from the Insayne pool (172.16.1.0/24) and would have internet access.

We will create another VLAN for the .2 network. Any device that is plugged into a port which is in VLAN 2 will get IP address from the InSayne1 pool (172.16.2.0/24 - explained in step 4) and would have internet access at this moment but we will deny it later (last step).

! - Create VLAN2 for ports in the 172.16.2.0/24 network.

Switch# configure terminal

Switch(config)# vlan 2

Switch(config-vlan)# name No-Internet

Switch(config-vlan)# end

! - Example, adding Fa0/2 on the switch to VLAN 2 (No-Internet).

interface FastEthernet0/2

switchport access vlan 2

spanning-tree portfast

!

Now, you can use the same method to move the desired ports to VLAN 2 in the switch.

2. Configure trunking on the switch

! - Configuring FastEthernet0/1 as the trunk port.

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

Connect a straight cable from Fa0/1 on the switch to Fa0/1 on the router.

4. Configure two dhcp pools on the router

InSayne - For 172.16.1.0/24 with internet access.

InSayne1 - For 172.16.2.0/24 without internet access.

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 172.16.1.1

ip dhcp excluded-address 172.16.2.1

!

ip dhcp pool InSayne

network 172.16.1.0 255.255.255.0

default-router 172.16.1.1

dns-server 208.67.222.222 208.67.220.220

!

ip dhcp pool InSayne1

network 172.16.2.0 255.255.255.0

default-router 172.16.2.1

ip nat pool InSayne 172.16.1.1 172.16.1.255 prefix-length 24

ip nat inside source list 15 interface FastEthernet0/0.1 overload

!

access-list 15 permit 172.16.1.0 0.0.0.255

Remove the ip nat inside statement from fa0/1 and move it to fa0/1.1

int fa0/1

no ip nat inside

no shut

int fa0/1.1

ip nat inside

no shut

5. Configure trunking on the router

Configuration follows:

----------------------

c2600(config)#int fastEthernet 0/1

c2600(config-if)#no shut

c2600(config-if)#exit

!-- Enable trunking on the sub-interface FastEthernet 0/1.1.

!-- Note that actual trunks are configured on the sub-interfaces.

c2600(config)#int fastEthernet 0/1.1

!-- On the switch, by default, the native VLAN is 1.

!-- On the router, configure VLAN1 as the native VLAN.

c2600(config-subif)#encapsulation dot1Q 1 native

c2600(config-subif)#ip address 172.16.1.1 255.255.255.0

c2600(config-subif)#exit

!-- Enable trunking on the sub-interface FastEthernet 0/1.2

c2600(config)#int fastEthernet 0/1.2

c2600(config-subif)#encapsulation dot1Q 2

!-- Configure L3 information on the sub-interface 0/1.2

c2600(config-subif)#ip address 172.16.2.1 255.255.255.0

c2600(config-subif)#exit

c2600(config)#^Z

c2600#write memory

========

6. Disable internet access for 172.16.2.0/24 on the router.

c2600(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

c2600(config)#int fa0/1.2

c2600(config-subif)#ip access-group 100 in

I hope this helps!

-Vaibhav

sorry about the delay. i've been caught up lately. i added the configs in pretty quick. i actually named the no-inet pool InSayneX and used access-list 10 instead of 100. vlan 1 seems to be working fine right now, but i hooked a machine into a port set to vlan 2 today and it doesn't pull an ip. below is my router running-config.

InSayneLAN#show run

Building configuration...

Current configuration : 1855 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname InSayneLAN

!

boot-start-marker

boot-end-marker

!

enable password *********

!

no aaa new-model

!

resource policy

!

no network-clock-participate slot 1

no network-clock-participate wic 0

voice-card 1

!

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 172.16.1.1

ip dhcp excluded-address 172.16.1.2 172.16.1.99

ip dhcp excluded-address 172.16.2.1

ip dhcp excluded-address 172.16.2.2 172.16.2.99

!

ip dhcp pool InSayne

network 172.16.1.0 255.255.255.0

default-router 172.16.1.1

dns-server 208.67.222.222 208.67.220.220

!

ip dhcp pool InSayneX

network 172.16.2.0 255.255.255.0

default-router 172.16.2.1

!

!

no ftp-server write-enable

!

!

!

!

!

!

!

!

!

!

!

!

!

!

controller T1 1/0

framing sf

linecode ami

!

!

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

no fair-queue

no dce-terminal-timing-enable

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 172.16.1.1 255.255.255.0

ip nat inside

no snmp trap link-status

!

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 172.16.2.1 255.255.255.0

ip access-group 10 in

no snmp trap link-status

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

ip http server

ip nat pool InSayne 172.16.1.1 172.16.1.255 prefix-length 24

ip nat inside source list 15 interface FastEthernet0/0 overload

!

access-list 10 permit 172.16.2.0 0.0.0.255

access-list 10 permit 172.16.1.0 0.0.0.255

access-list 15 permit 172.16.1.0 0.0.0.255

!

!

control-plane

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

!

end

InSayneLAN#

i had to do things slightly different than you posted. i forgot what the error was that i got. actually i think i wound up with 2. but i worked around them. i know one was i had to set no ip on fa0/1 before i could set that same ip to fa0/1.1. the other, i don't remember what happened.

got any ideas on what's going on? do i need to post my switch's running-config also?

Sorry for the late response. Had been really busy.

Did you try other ports in Vlan 2 as well? Was the port up/up? What if you assign manual IP address from the .2 network to a device on VLAN2. Does it communicate with VLAN 1 and is internet blocked for it?

Also, instead of ACL 10, an extended ACL such as below makes more sense here. It allows traffic from .2 to communicate with .1 but blocks it from accessing any other subnet (which blocks internet access as well).

c2600(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

c2600(config)#int fa0/1.2

c2600(config-subif)#ip access-group 100 in

i remember now what that second problem i was having with your config was. below is what happens when i type what you asked:

InSayneLAN(config)#$ 10 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

Translating "ip"...domain server (208.67.222.222) [OK]

access-list 10 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

^

% Invalid input detected at '^' marker.

InSayneLAN(config)#

and below is what happens when i remove "ip" from the command:

InSayneLAN(config)#$ 10 permit 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 10 permit 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

^

% Invalid input detected at '^' marker.

InSayneLAN(config)#

the forum doesn't show the exact location of the carats for the errors, so i will type them here. the carat in the first error is pointing to the first 0 in the first instance of 0.0.0.255. the carat in the second error is pointing to the first 1 in 172.16.1.0

i manually configured a machine to a net 2 address and plugged it into a vlan 2 port and it successfully pinged a machine on vlan 1. i have also made the following modifications to my router's config in order to have the extended ACL you were talking about:

ip access-list extended No_iNet

permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 172.16.2.1 255.255.255.0

ip access-group No_iNet in

no snmp trap link-status

sounds good. I hope the .2 network and the ports in vlan 2 donot have internet access.

So at this point only the config through DHCP for vlan 2 is not working ?

Have you checked if DHCP is working after the last 2 changes ? If only DHCP for vlan 2 is down, let me know and we will then work on it further.

that's right. no internet access from vlan 2 and no dhcp from vlan 2. i tested it all after i made the last 2 changes. i briefly looked over the config but i don't know what the problem might be.