07-17-2012 04:59 PM - edited 03-07-2019 07:50 AM
Hi All,
Is it possible to use the inbuilt 4 port switch on a Cisco 887VA ADSL router for inter Vlan routing?
My plan is to configure port FA0 - 2 as Vlan 1 (default) 192.168.0.254/24 and port FA3 as Vlan 2 192.168.4.254/30.
My SIP server will sit on Vlan 2 192.168.4.253/30 however remote Wan users coming through other Cisco 888 routers connected to the 887 will need to access Vlan 2 from Vlan 1, is this possible?.
interface FastEthernet0
description VLAN_1
no ip address
!
interface FastEthernet1
description VLAN_1
no ip address
!
interface FastEthernet2
description VLAN_1
no ip address
!
interface FastEthernet3
description VLAN_2
switchport access vlan 2
no ip address
!
interface Vlan1
description QQQ_LAN$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip access-group 101 in
ip access-group 101 out
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Vlan2
description QQQ_VOIP_VLAN$FW_DMZ$
ip address 192.168.4.254 255.255.255.252
ip access-group 101 in
ip access-group 101 out
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
Louise
Solved! Go to Solution.
07-18-2012 02:48 AM
Hi,
you don't have any security zone-pair from dmz-zone to inside-zone, so if you want vlan2 host to ping vlan 1 host do this:
zone-pair security dmz-to-in source dmz-zone destination in-zone
service-policy type inspect dmz-to-in-policy
policy-map type inspect dmz-to-in-policy
class type inspect dmz-to-in-echorequest
inspect
class-map type inspect dmz-to-in-echorequest
match protocol icmp
Regards.
Alain.
Don't forget to rate helpful posts.
07-17-2012 05:18 PM
Hi,
It should work just fine. The module you have on the router is a 4 port managed switch. So, you can put all in one vlan or put each port in a different vlan. Since the vlan interfaces are local to the route, the router will route between them.
HTH
07-17-2012 05:25 PM
Hi HTH,
Thats what I thought however host 1 (192.168.0.1) on Vlan 1 can ping Vlan 1 (192.1687.0.254) and Vlan 2 (192.168.4.254) but can't ping Vlan 2 host 192.168.4.253. The same is true when pinging from Vlan 2 host you can ping all Vlan gateway addresses but no hosts. However from within the router console you can ping everthing. I've even removed all the ACL's just in case and still the same, just not sure what to try next!
Louise
07-17-2012 05:38 PM
Do the hosts have the correct default gateway?
Do the hosts have any type of firewall installed?
ip address 192.168.4.254 255.255.255.252
also for test purpose, can you change the mask for above subnet to
255.255.255.0?
HTH
07-17-2012 05:45 PM
Do the hosts have the correct default gateway? Yes
Do the hosts have any type of firewall installed? Yes put disabled for testing
ip address 192.168.4.254 255.255.255.252
also for test purpose, can you change the mask for above subnet to
255.255.255.0? Tried that too but no change.
I just can't seam to find any documents that clearly show any setup deatils but what the point of supply a router with a managed switch interface if you can't use it for inter Vlan coms!!!
Louise
07-17-2012 05:47 PM
Can you post the entire config?
07-17-2012 05:50 PM
From the router can you ping the hosts?
07-17-2012 11:11 PM
The router can ping all hosts and Vlan IP's
Current config
! Last configuration change at 13:10:28 UTC Thu Jul 12 2012 by cpadmin
! NVRAM config last updated at 13:10:45 UTC Thu Jul 12 2012 by cpadmin
! NVRAM config last updated at 13:10:45 UTC Thu Jul 12 2012 by cpadmin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname QQQ_ADSL_Gateway
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3471381936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3471381936
revocation-check none
rsakeypair TP-self-signed-3471381936
!
!
crypto pki certificate chain TP-self-signed-3471381936
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133
38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9
7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07
AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD
6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79
51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06
03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609
2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8
9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290
AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660
644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A
3D7107BA AA4E7273 1D43690E C4A5D4
quit
ip source-route
!
!
!
!
!
ip cef
ip domain name QQQ.Local
ip name-server 192.168.0.6
no ipv6 cef
!
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
license udi pid CISCO887VA-K9 sn FGL162321CT
!
!
object-group network QQQ.Local
description QQQ_Domain
192.168.0.0 255.255.255.0
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.4.0 255.255.255.252
10.1.1.0 255.255.255.252
10.1.2.0 255.255.255.252
!
username xxxxx privilege 15 password 0 xxxxxx
!
!
!
!
controller VDSL 0
!
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol sip
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-dmz-traffic
inspect
class class-default
drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class class-default
drop log
!
zone security dmz-zone
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description Telekom_ADSL
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description VLAN_1
no ip address
!
interface FastEthernet1
description VLAN_1
no ip address
!
interface FastEthernet2
description VLAN_1
no ip address
!
interface FastEthernet3
description VLAN_2
switchport access vlan 2
no ip address
!
interface Vlan1
description QQQ_LAN$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip access-group 101 in
ip access-group 101 out
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Vlan2
description QQQ_VOIP_VLAN$FW_DMZ$
ip address 192.168.4.254 255.255.255.252
ip access-group 101 in
ip access-group 101 out
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxx
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxxx password 0 xxxxxxx
!
router rip
version 2
passive-interface Vlan1
passive-interface Vlan2
network 10.0.0.0
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
no auto-summary
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 ATM0.1 permanent
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 192.168.4.253
permit ip any host 192.168.4.254
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.4.252 0.0.0.3
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.4.252 0.0.0.3 any
access-list 101 remark QQQ_Extended_ACL
access-list 101 remark CCP_ACL Category=1
access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp
access-list 101 remark NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp
access-list 101 remark NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.0.254 eq ntp
access-list 101 remark QQQ_ANY_Any
access-list 101 permit ip object-group QQQ.Local any
dialer-list 1 protocol ip permit
!
!
!
!
banner login ^CWelcome to ADSL Gateway
--------------------------------------------------------------------------------
************************************************************
* Authorised access ONLY. Unauthorised access is forbidden *
************************************************************
^C
!
line con 0
login local
line aux 0
login local
line vty 0 4
login local
transport input all
!
ntp update-calendar
ntp server 203.12.160.2 prefer source ATM0.1
end
07-18-2012 12:14 AM
Hi,
this is zbf that is the cause of your problems.
So when you ping from vlan1 host to vlan2 host you go from in-zone to dmz-zone:
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-dmz-traffic
inspect
class class-default
drop
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
ip access-list extended dmz-traffic
permit ip any host 192.168.4.253
permit ip any host 192.168.4.254
class-map type inspect match-any ccp-dmz-protocols
match protocol sip
So do this and it should work :
class-map type inspect match-any ccp-dmz-protocols
match protocol sip
match protocol icmp
Regards.
Alain
Don't forget to rate helpful posts.
07-18-2012 02:18 AM
Thanks Alain,
That sort of worked. Vlan 1 host can now ping Vlan 2 host at will, however Vlan 2 host still can't ping Vlan 1 host (Request timed out error) unless I ping from Vlan 1 host to Vlan 2 host at the same time then for a few seconds only Vlan 2 host can ping the Vlan 1 host before the timed out error returns, any ideas?
Louise
07-18-2012 02:48 AM
Hi,
you don't have any security zone-pair from dmz-zone to inside-zone, so if you want vlan2 host to ping vlan 1 host do this:
zone-pair security dmz-to-in source dmz-zone destination in-zone
service-policy type inspect dmz-to-in-policy
policy-map type inspect dmz-to-in-policy
class type inspect dmz-to-in-echorequest
inspect
class-map type inspect dmz-to-in-echorequest
match protocol icmp
Regards.
Alain.
Don't forget to rate helpful posts.
07-18-2012 03:41 AM
Thanks, yes I need SIP protocols to come inside to Vlan 1 network as I have remote sites contected to VLan 1 through 888 routers and local IP phones on Vlan 1.
Louise
07-18-2012 07:57 AM
Alain,
I'm beginning to appreciate and understand ZBFW because of your posts. Good job and keep it up! +5
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide