Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6909
Views
5
Helpful
12
Replies

Cisco 887VA Inter Vlan Routing

Go to solution
eagletec1
Level 1
Level 1

‎07-17-2012 04:59 PM - edited ‎03-07-2019 07:50 AM

Hi All,

Is it possible to use the inbuilt 4 port switch on a Cisco 887VA ADSL router for inter Vlan routing?

My plan is to configure port FA0 - 2 as Vlan 1 (default) 192.168.0.254/24 and port FA3 as Vlan 2 192.168.4.254/30.

My SIP server will sit on Vlan 2 192.168.4.253/30 however remote Wan users coming through other Cisco 888 routers connected to the 887 will need to access Vlan 2 from Vlan 1, is this possible?.

interface FastEthernet0

description VLAN_1

no ip address

!

interface FastEthernet1

description VLAN_1

no ip address

!

interface FastEthernet2

description VLAN_1

no ip address

!

interface FastEthernet3

description VLAN_2

switchport access vlan 2

no ip address

!

interface Vlan1

description QQQ_LAN$FW_INSIDE$

ip address 192.168.0.254 255.255.255.0

ip access-group 101 in

ip access-group 101 out

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan2

description QQQ_VOIP_VLAN$FW_DMZ$

ip address 192.168.4.254 255.255.255.252

ip access-group 101 in

ip access-group 101 out

ip nat inside

ip virtual-reassembly in

zone-member security dmz-zone

Louise

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to eagletec1

‎07-18-2012 02:48 AM

Hi,

you don't have any security zone-pair from dmz-zone to inside-zone, so if you want vlan2 host to ping vlan 1 host do this:

zone-pair security dmz-to-in  source dmz-zone destination in-zone

service-policy type inspect dmz-to-in-policy

policy-map type inspect dmz-to-in-policy

class type inspect dmz-to-in-echorequest

  inspect

class-map type inspect dmz-to-in-echorequest

match protocol icmp

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

12 Replies 12

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎07-17-2012 05:18 PM

Hi,

It should work just fine.  The module you have on the router is a 4 port managed switch. So, you can put all in one vlan or put each port in a different vlan.  Since the vlan interfaces are local to the route, the router will route between them.

HTH

0 Helpful

Go to solution
eagletec1
Level 1
Level 1
In response to Reza Sharifi

‎07-17-2012 05:25 PM

Hi HTH,

Thats what I thought however host 1 (192.168.0.1) on Vlan 1 can ping Vlan 1 (192.1687.0.254) and Vlan 2 (192.168.4.254) but can't ping Vlan 2 host 192.168.4.253. The same is true when pinging from Vlan 2 host you can ping all Vlan gateway addresses but no hosts. However from within the router console you can ping everthing. I've even removed all the ACL's just in case and still the same, just not sure what to try next!

Louise

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to eagletec1

‎07-17-2012 05:38 PM

Do the hosts have the correct default gateway?

Do the hosts have any type of firewall installed?

ip address 192.168.4.254 255.255.255.252

also for test purpose, can you change the mask for above subnet to

255.255.255.0?

HTH

0 Helpful

Go to solution
eagletec1
Level 1
Level 1
In response to Reza Sharifi

‎07-17-2012 05:45 PM

Do the hosts have the correct default gateway? Yes

Do the hosts have any type of firewall installed? Yes put disabled for testing

ip address 192.168.4.254 255.255.255.252

also for test purpose, can you change the mask for above subnet to

255.255.255.0? Tried that too but  no change.

I just can't seam to find any documents that clearly show any setup deatils but what the point of supply a router with a managed switch interface if you can't use it for inter Vlan coms!!!

Louise

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to eagletec1

‎07-17-2012 05:47 PM

Can you post the entire config?

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to eagletec1

‎07-17-2012 05:50 PM

From the router can you ping the hosts?

0 Helpful

Go to solution
eagletec1
Level 1
Level 1
In response to Reza Sharifi

‎07-17-2012 11:11 PM

The router can ping all hosts and Vlan IP's

Current config

! Last configuration change at 13:10:28 UTC Thu Jul 12 2012 by cpadmin

! NVRAM config last updated at 13:10:45 UTC Thu Jul 12 2012 by cpadmin

! NVRAM config last updated at 13:10:45 UTC Thu Jul 12 2012 by cpadmin

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname QQQ_ADSL_Gateway

!

boot-start-marker

boot-end-marker

!

!

enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3471381936

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3471381936

revocation-check none

rsakeypair TP-self-signed-3471381936

!

!

crypto pki certificate chain TP-self-signed-3471381936

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332

  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133

  38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9

  7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07

  AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD

  6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79

  51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06

  03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609

  2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8

  9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290

  AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660

  644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A

  3D7107BA AA4E7273 1D43690E C4A5D4

            quit

ip source-route

!

!

!

!

!

ip cef

ip domain name QQQ.Local

ip name-server 192.168.0.6

no ipv6 cef

!

!

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

license udi pid CISCO887VA-K9 sn FGL162321CT

!

!

object-group network QQQ.Local

description QQQ_Domain

192.168.0.0 255.255.255.0

192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.4.0 255.255.255.252

10.1.1.0 255.255.255.252

10.1.2.0 255.255.255.252

!

username xxxxx privilege 15 password 0 xxxxxx

!

!

!

!

controller VDSL 0

!

!

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect match-any ccp-dmz-protocols

match protocol sip

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-dmz-traffic

match access-group name dmz-traffic

match class-map ccp-dmz-protocols

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

class type inspect gnutella ccp-app-gnutella

  log

  allow

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

class type inspect http ccp-app-httpmethods

  log

  reset

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

  service-policy p2p ccp-action-app-p2p

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect ccp-permit-dmzservice

class type inspect ccp-dmz-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

  pass

class class-default

  drop log

!

zone security dmz-zone

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

!

!

!

!

!

!

interface Ethernet0

no ip address

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description Telekom_ADSL

pvc 8/35

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

description VLAN_1

no ip address

!

interface FastEthernet1

description VLAN_1

no ip address

!

interface FastEthernet2

description VLAN_1

no ip address

!

interface FastEthernet3

description VLAN_2

switchport access vlan 2

no ip address

!

interface Vlan1

description QQQ_LAN$FW_INSIDE$

ip address 192.168.0.254 255.255.255.0

ip access-group 101 in

ip access-group 101 out

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan2

description QQQ_VOIP_VLAN$FW_DMZ$

ip address 192.168.4.254 255.255.255.252

ip access-group 101 in

ip access-group 101 out

ip nat inside

ip virtual-reassembly in

zone-member security dmz-zone

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 101 in

ip access-group 101 out

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxx

ppp chap password 0 xxxxxx

ppp pap sent-username xxxxxxx password 0 xxxxxxx

!

router rip

version 2

passive-interface Vlan1

passive-interface Vlan2

network 10.0.0.0

network 192.168.0.0

network 192.168.1.0

network 192.168.2.0

network 192.168.3.0

network 192.168.4.0

no auto-summary

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 2 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 ATM0.1 permanent

!

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended dmz-traffic

remark CCP_ACL Category=1

permit ip any host 192.168.4.253

permit ip any host 192.168.4.254

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.4.252 0.0.0.3

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 192.168.4.252 0.0.0.3 any

access-list 101 remark QQQ_Extended_ACL

access-list 101 remark CCP_ACL Category=1

access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2

access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp

access-list 101 remark NTP (123) 203.12.160.2

access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp

access-list 101 remark NTP (123) 203.12.160.2

access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.0.254 eq ntp

access-list 101 remark QQQ_ANY_Any

access-list 101 permit ip object-group QQQ.Local any

dialer-list 1 protocol ip permit

!

!

!

!

banner login ^CWelcome to ADSL Gateway

--------------------------------------------------------------------------------

************************************************************

* Authorised access ONLY. Unauthorised access is forbidden *

************************************************************

^C

!

line con 0

login local

line aux 0

login local

line vty 0 4

login local

transport input all

!

ntp update-calendar

ntp server 203.12.160.2 prefer source ATM0.1

end

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to eagletec1

‎07-18-2012 12:14 AM

Hi,

this is zbf that is the cause of your problems.

So when you ping from vlan1 host to vlan2 host you go from in-zone to dmz-zone:

zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

policy-map type inspect ccp-permit-dmzservice

class type inspect ccp-dmz-traffic

  inspect

class class-default

  drop

class-map type inspect match-all ccp-dmz-traffic

match access-group name dmz-traffic

match class-map ccp-dmz-protocols

ip access-list extended dmz-traffic

permit ip any host 192.168.4.253

permit ip any host 192.168.4.254

class-map type inspect match-any ccp-dmz-protocols

match protocol sip

So do this and it should work :

class-map type inspect match-any ccp-dmz-protocols

match protocol sip

match protocol icmp

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
eagletec1
Level 1
Level 1
In response to cadet alain

‎07-18-2012 02:18 AM

Thanks Alain,

That sort of worked. Vlan 1 host can now ping Vlan 2 host at will, however Vlan 2 host still can't ping Vlan 1 host (Request timed out error) unless I ping from Vlan 1 host to Vlan 2 host at the same time then for a few seconds only Vlan 2 host can ping the Vlan 1 host before the timed out error returns, any ideas?

Louise

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to eagletec1

‎07-18-2012 02:48 AM

Hi,

you don't have any security zone-pair from dmz-zone to inside-zone, so if you want vlan2 host to ping vlan 1 host do this:

zone-pair security dmz-to-in  source dmz-zone destination in-zone

service-policy type inspect dmz-to-in-policy

policy-map type inspect dmz-to-in-policy

class type inspect dmz-to-in-echorequest

  inspect

class-map type inspect dmz-to-in-echorequest

match protocol icmp

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
eagletec1
Level 1
Level 1
In response to cadet alain

‎07-18-2012 03:41 AM

Thanks, yes I need SIP protocols to come inside to Vlan 1 network as I have remote sites contected to VLan 1 through 888 routers and local IP phones on Vlan 1.

Louise

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to cadet alain

‎07-18-2012 07:57 AM

Alain,

I'm beginning to appreciate and understand ZBFW because of your posts. Good job and keep it up! +5

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card