cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2573
Views
0
Helpful
11
Replies

Cisco 871: Allow two VLANs to access one another

itlengineering
Level 1
Level 1

We are using a Cisco 871 in our data center, which is configured with  two VLANs as follows:

- VLAN1 contains FastEthernet0,  1, and 2, has an IP address of 192.168.1.1, and is associated with  network 192.168.1.0/24

- VLAN2 contains FastEthernet3, has an IP  address of  192.168.101.1, and is associated with network 192.168.101.0/24

At  present, I am able to ping all devices on both subnets from the Cisco  router. However, from a machine that is connected to the 192.168.1.0  network, I can only ping 192.168.101.1 (the IP address of VLAN2).  Ideally, I would like to be able to access any IP address on the  192.168.101.0 network when using a computer that is connected to the  192.168.1.0 network, and vice versa. Does anyone have any idea how this  can be accomplished?

Any help would be greatly  appreciated!

Best Regards,

Steven

11 Replies 11

Leo Laohoo
Hall of Fame
Hall of Fame

What's the config for both?

Here are the configs for both Vlans:

interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Vlan2
ip address 192.168.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!

ip route 192.168.1.0 255.255.255.0 Vlan1 permanent

-------------------------

Is this what you were looking for? If you require more information, please let me know.

lamav
Level 8
Level 8

It sounds like you're trying to PING PC's and it's not working. Make sure that they do not have a firewall enabled.

Victor

Hi Victor,

Actually, the devices I am trying to ping are not computers but IP phones, and as such they have no firewall. Also, I am able to ping these phones from any machine that resides on the 192.168.101.0 network, and I can ping these phones from the Cisco, so I don't think it's a firewall issue.

Also, there is no firewall currently set up on the Cisc. Perhaps its an ACL problem?

Can you post the "sh run" of both routers?

Yes, please post the configs...

Thanks for your reply. Just to clarify, there is only one router  (with two VLANs) in this configuration. The sh run of this router is as  follows:


Building configuration...

Current configuration : 21858 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Engineering
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$c03E$wjKfvdU9usL1o5lJkJ/ij.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone jst 9
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool sdm-pool
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 192.168.1.9 192.168.1.200
    lease 0 8
!
!
ip cef
ip name-server 202.224.32.2
ip name-server 202.224.32.1
!
!
!
!
archive
  log config
   hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
  switchport access vlan 2
!
interface FastEthernet4
  description $ETH-WAN$
  ip address dhcp client-id FastEthernet4
  ip mtu 1454
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
!
interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
!
interface Vlan2
  ip address 192.168.101.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
!
interface Dialer0
  description $FW_OUTSIDE$
  ip mtu 1454
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer redial interval 30 attempts 1000 re-enable 300
  dialer-group 1
  no cdp enable
  ppp authentication chap pap callin
  ppp chap hostname ********
  ppp chap password 0 ********
  ppp pap sent-username ********
!
ip local pool SDM_POOL_1 192.168.9.101 192.168.9.250
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2
ip route 192.168.1.0 255.255.255.0 Vlan1 permanent
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
logging 192.168.1.200
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.9.0 0.0.0.255 any
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
  match ip address 101
!
!
control-plane
!
banner login ^CCCC
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this  device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a  privilege

level of 15.

Please change these publicly known initial credentials using SDM  or the IOS

CLI.
Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username  and password you want to

use.

For more information about SDM please follow the instructions in  the QUICK

START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
  no modem enable
line aux 0
line vty 0 4
  transport input telnet ssh
!
scheduler max-task-time 5000
end
-------------------------

Thanks for  your help! If you have any other questions, please let me know.

Steven

Where's your route for VLAN2?

I just ran the following command from the router CLI:

ip  route 192.168.101.0 255.255.255.0 Vlan2 permanent

However,  I still cannot ping any 192.168.101.0 devices from the 192.168.1.0  network. Is the above command what you had in mind? If not, please let  me know.

Thanks,

Steven

Hi Steven,

If you are able to ping the IP phones from the router itself, layer2 reachability is there. I assume the subnet for IP phones is 192.168.101.0/24 based on your explanation and if so I can see the IP phones are getting the IP address not from the router as there is no pool configured for 192.168.101.0/24 subnet and so I am not sure the IP phones are using the correct default gateway. You have to use the 192.168.101.1 as the default gateway on the IP phones if that is your assumed gateway, then only it can reach network beyond their own.

Regards,

Shahal.

I changed the gateway of one phone to 192.168.101.1, and then I was  able to ping it from a machine on the 192.168.1.0 network! Thanks for  that!

However, now I have run into a different problem.  The phone was previously using 192.168.101.252 as its gateway in order  to communicate with the SIP network, which resides at IP address  220.157.32.78. This IP address is only accessible through gateway  192.168.101.252. Since the gateway value on the phone has now been  changed to 192.168.1.1, the phone is no longer able to access  202.157.32.78 through SIP gateway 192.168.101.252. In an attempt to  overcome this, I created a static route using the follwoing CLI command:

ip  route 220.157.32.78 255.255.255.255 192.168.101.252 permanent

However,  this did not seem to have any effect. Is it possible to configure the  Cisco router to always route traffic directed at 202.157.32.78 through  192.168.101.252.

Thanks for your help!

Steven

Review Cisco Networking for a $25 gift card