Solved: Re: How to Allow Internet on VLAN's PC

s4starb4boy · ‎12-06-2013

Scenario:I have three remote sites and one head office location

Site1= ISPL

Nodes=70

IP Scheme = 192.168.10.xx

Site2= ISML

Nodes=50

IP Scheme = 192.168.20.xx

Site3= KSML

Nodes=80

IP Scheme = 192.168.30.xx

Site4= H.O(Aggregate SIte)

Nodes=90

IP Scheme = 192.168.0.xx

Site 1,2,3 are aggrgated at H.O in Layer 2 Switch

I've created Four (4) vlans for each site on aggregate site 4(H.O) on cisco switch model 3550 48 Ports and pulled cables of each remote site 1,2,3 from layer 2 switch (Provided us from VPN/DATA Link service provider) and pluggen in cisco Lyer 3 switch 3550.

cisco 3550 configuration is as well (precise)

vlan 10

name ispl

int vlan 10

ip add 192.168.10.100 255.255.255.0

vlan 20

int vlan 20

name isml

ip add 192.168.20.100 255.255.255.0

vlan 30

name ksml

int vlan 30

ip add 192.168.30.100 255.255.255.0

vlan 40

name h.o

int vlan 40

ip add 192.168.0.100 255.255.255.0

ip routing is enabled

all above scenario is working fine by using following configuration

suppos we have one pc at remote site 1, here is its configuration

PC1

IP Address: 192.168.10.1

subnet mask: 255.255.255.0

Gateway 192.168.10.100

and an other pc on site 4

PC2

IP Address: 192.168.0.1

subnet mask: 255.255.255.0

Gateway 192.168.0.100

they ping each other...fine

in short we have to provide default gateway to each computer of each site of which port they are connected ok?

Problem: is that when we set teh gate to any site's computer for inter vlan communication we can't brows internet as we have different scenarion on sites for internet like on site 1 we do have DSL modem directly plugged in swithe. so for internet we set the DSL Modem IP as default Gateway to that PC. but hwo can we set up two or more Default gateway so our Internet adn vlan traffice both remain alive. although I've tried by entring extra gateway but which is set in default either it is DSL Modem or vlan swithc port IP only that work. please guide me hwo can I fix this issue becuase if vlans works then intyernet does not or if internet works then vlan does not. here in H.O I also have TMG server but in that case again we have to set gateway for internet on a PC. please help me and ask if you need more info regarding my scenario or anything missing.

awaiting.....

Jeff Van Houten · ‎12-09-2013

If you only want pcs in vlan10 to access pcs in vlan 40 change the route statement to route add -p 192.168.0.0 mask 255.255.255.0 192.168.10.100. Delete the other route statement with route -delete .

Sent from Cisco Technical Support iPad App

View solution in original post

Jon Marshall · ‎12-07-2013

So you have one internet connection in the Head Office ?

If you so you need to add a default route on your 3550 ie.

ip route 0.0.0.0 0.0.0.0

then set the defult gateway for each vlan to be the L3 switch IP address for that vlan.

However for return traffic from the internet to work you need to be able to add routes to the modem and i'm not sure you will be able to. Basically on the modem you need -

route

note the syntax used probably won't be accurate so you need to work out how the modem (if it does) adds routes.

Jon

s4starb4boy · ‎12-07-2013

No! I have more than one internet connection in H.O.

Let me tell you one thing is that we have all unmanaged LAN Environment(non Managable Switches and WORKGROUP Environment WIndows XP Base PCs at all sites including H.O. here in H.O One Internet connection is provided us from ISP of WHich we have taken services to connect our remote sites 1,2 and 3, and one more DSL Router directly Plugged in Switch in our LAN. All sites links are terminated in H.O in Layer 2 Switch(Device) by this way Port1- Internet(They have give us one default gate and 1 IP to for this port which we can set on our pc or can make server like TMG etc...) Port 2,3 and 4 have remote sites VPN/DATA links. actually they shutted down our links several tiem saying that we are facing MAC FLAPPING from your aggregate site(H.O) becuase we have had terminated all three links comming from remote sites into our non managable switch. now they suggest us to deploy Lyer 3 Device(Switch) and manage your internal network otherwise your link will be shut down until you do so.

now I've googled and found the solution of VLANS as I am succeded in it. I 've created three vlan for all sites but for intervlan connectivity I must have to set the layer 3 switch vlan interface IP as a GATWAY to that computer for communication. I am stuck here that if I've already setup GATWAY of VLAN Interface then hwo would this compuiter be able to access internet suppose I prepare the TMG Server you know we have to set proxy setting or setup Default Gateway to that computer for internet surfing. but How?

Jeff Van Houten · ‎12-07-2013

There was a serious error when you attempted to create another gateway and, in effect, have 2 gateways into each subnet. The easiest solution may be to leave the ISP gateways on the remote PCs, and add static routes to each PC for the internal subnets.

So, a remote PC in vlan 40 would have a default route of 0.0.0.0 0.0.0.0 -> ISP gateway
followed by a route for the internal network
192.168.0.0 mask 255.255.0.0 -> 198.168.0.1

You'd have to add this route to all the internal systems, but it'd work. If these are windows systems, also don't forget to add "/p" to add persistence across reboots.
Sent from Cisco Technical Support iPad App

s4starb4boy · ‎12-07-2013

Well I dont want to plugg Internet port comming from Layer 2 Switch to Layer 3 Switch. Suppose I prepare the seprate TMG Server having two NIC of which one I will configure according to Given IP and Set its Default Gateway what they have provided us...ok? No Problem I'ev already prepared and its working) Now at the server point I've GOT Internet? and I did it....ok now on second NIC I configure it as our LAN IP Scheme which is 192.168.0.xx 255.255.255.0 ok? let suppose I set the TMG Server NIC 2's IP 192.168.0.1 255.255.255.0 ok? Now to access internet in our LAN what Do I have to do? obviously I've to set this GATEWAY(192.168.0.1) to all PCs on which I want to browse Internet? ok... Now here come the problem because I've set the default GATEWAY of that pc's, IP which is layer 3 switch port in my case it is 192.168.0.100 when I set this gate way I can communicate to all VLANS PCs whos have setup there respective interface IPs as GATEWAY. but I can't use internet. you have told me the different thing which I hope will work but it would be very nice if you please type the complete command which I need to put on PCs. Thanks you

here is my running-cong out put....

Building configuration...

Current configuration : 3077 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname ASG

!

ip subnet-zero

ip routing

!

spanning-tree extend system-id

!

interface FastEthernet0/1

switchport access vlan 40

switchport trunk encapsulation dot1q

switchport mode access

no ip address

!

interface FastEthernet0/2

switchport access vlan 10

switchport mode access

no ip address

!

interface FastEthernet0/3

switchport access vlan 30

switchport mode access

no ip address

!

interface FastEthernet0/4

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/5

no switchport

no ip address

!

interface FastEthernet0/6

no ip address

!

interface FastEthernet0/7

no ip address

!

interface FastEthernet0/8

no ip address

!

interface FastEthernet0/9

no ip address

!

interface FastEthernet0/10

no ip address

!

interface FastEthernet0/11

no ip address

!

interface FastEthernet0/12

no ip address

!

interface FastEthernet0/13

no ip address

!

interface FastEthernet0/14

no ip address

!

interface FastEthernet0/15

no ip address

!

interface FastEthernet0/16

no ip address

!

interface FastEthernet0/17

no ip address

!

interface FastEthernet0/18

no ip address

!

interface FastEthernet0/19

no ip address

!

interface FastEthernet0/20

no ip address

!

interface FastEthernet0/21

no ip address

!

interface FastEthernet0/22

no ip address

!

interface FastEthernet0/23

no ip address

!

interface FastEthernet0/24

no ip address

!

interface FastEthernet0/25

no ip address

!

interface FastEthernet0/26

no ip address

!

interface FastEthernet0/27

no ip address

!

interface FastEthernet0/28

no ip address

!

interface FastEthernet0/29

no ip address

!

interface FastEthernet0/30

no ip address

!

interface FastEthernet0/31

no ip address

!

interface FastEthernet0/32

no ip address

!

interface FastEthernet0/33

no ip address

!

interface FastEthernet0/34

no ip address

!

interface FastEthernet0/35

no ip address

!

interface FastEthernet0/36

no ip address

!

interface FastEthernet0/37

no ip address

!

interface FastEthernet0/38

no ip address

!

interface FastEthernet0/39

no ip address

!

interface FastEthernet0/40

no ip address

!

interface FastEthernet0/41

no ip address

!

interface FastEthernet0/42

no ip address

!

interface FastEthernet0/43

no ip address

!

interface FastEthernet0/44

no ip address

!

interface FastEthernet0/45

no ip address

!

interface FastEthernet0/46

no ip address

!

interface FastEthernet0/47

no ip address

!

interface FastEthernet0/48

no ip address

!

interface GigabitEthernet0/1

no ip address

!

interface GigabitEthernet0/2

no ip address

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 192.168.10.100 255.255.255.0

!

interface Vlan20

ip address 192.168.20.100 255.255.255.0

!

interface Vlan30

ip address 192.168.30.100 255.255.255.0

!

interface Vlan40

ip address 192.168.0.100 255.255.255.0

!

ip classless

ip http server

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

end

Jeff Van Houten · ‎12-07-2013

For a PC in vlan 10, leave the default gateway pointed to whatever ISP gateway you currently have. Open up the command prompt and type:
route add -p 192.168.0.0 mask 255.255.0.0 192.168.10.100
That will route the internal network address space to the gateway at 192.168.10.100 but leave all default communication to whatever IP address on the local subnet the IPS gateway is.

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎12-07-2013

And, more than anything else, i think a drawing of a typical remote site, including a PC, whatever switch your have, a router, and all connections back to the HQ would help the group understand what you're attempting to accomplish.

Sent from Cisco Technical Support iPad App

s4starb4boy · ‎12-07-2013

Thank you very much Jeff Van Houten. I really appriciate you to showing your concern.I'll apply this command and let you know the result on monday as tomorrow is Sunday(Off). I am Drawing the Diagrame I'll share with you soon. well I am wandering if this way PCs on Vlan 10 would be able to access the Novell Netware Server(3.12) very OLD stuff though still working... we have on each site and you would know that its communication PROTOCOL is IPX/SPX. in windows plateform windows 98 to windows XP has this protocol support windows 7 or later has omited this from list. to gain access to server we do have to install netware client >>>>>>>>>>>restart computer and Done! it sniff the Novell Server Name we Just select and login script run thats it. In above case would it be possible??? well I hope so lemme give it a try.

Jeff Van Houten · ‎12-07-2013

I don't know if a 3550 switch can route IPX or not, but I doubt it. It's been a number of years since I've messed with IPX.

Sent from Cisco Technical Support iPad App

s4starb4boy · ‎12-09-2013

WOW! First of all I would like to Thank you again this command "route add -p 192.168.0.0 mask 255.255.0.0 192.168.10.100" is a megic it works liek a charm without providing GATEWAY to each computer on each site.

But as I mentioned erlier that we do have Novell Netwrae 3.12 Server on each site. I am unable to access those servers from H.O(Aggrigate Site) . and one more thing we want H.O(Aggregate Site) Computers to access specific VLAN(Site) e.g VLAN 40 Computer 192.168.0.1 should be allowed to access only VLAN 20 and

VLAN 40 Computer 192.168.0.2 should be allowed to access only VLAN 10. hence we dont want to VLAN 10 VLAN 20 and VLAN 30 to communicate with each others.only they only need to communicate with VLAN 40(H.O Aggrigate)site.

I am sending you the drawing you may have an Idea about our scenario. Please help me to restrict vlanz computer to specific vlan hwo would we do it in cisco switch 3550 or in computers? and also help me to access Novel Netware 3.12 in VLANS.

Jeff Van Houten · ‎12-09-2013

If you only want pcs in vlan10 to access pcs in vlan 40 change the route statement to route add -p 192.168.0.0 mask 255.255.255.0 192.168.10.100. Delete the other route statement with route -delete .

Sent from Cisco Technical Support iPad App

s4starb4boy · ‎12-09-2013

Ok! Please check either these commands are correct or not according to given scenario.

Only VLAN10 to VLAN40 = route add -p 192.168.0.0 mask 255.255.255.0 192.168.10.100

Only VLAN20 to VLAN40 = route add -p 192.168.0.0 mask 255.255.255.0 192.168.20.100

Only VLAN30 to VLAN40 = route add -p 192.168.0.0 mask 255.255.255.0 192.168.30.100

Some PCs of VLAN40 to VLAN10 = ????????

Some PCs of VLAN40 to VLAN20 = ????????

Some PCs of VLAN40 to VLAN30 = ????????

m.rana.ku · ‎05-17-2020

Hi there,

Actually to access internet from VLANs you need to configure NAT, but only some Cisco layer 3 switches (i.e 6500,6000 and 5500) supports NAT. That's why for the cisco layer 3 switches which don't support NAT in that case we can apply dynamic routing protocol (EIGRP) both in cisco layer 3 switch and in the router to access internet. The common problem is VLAN 1 can access internet but other VLANs can't access internet, in this case if you apply EIGRP routing in both Cisco router and in cisco layer 3 switch then the router and other VLANs will access each other through dynamically detecting the VLAN 1 interface IP address.

The whole process has been precisely described in the following youtube video:

""Configure VLAN | Allow VLANs to Access Internet""

https://www.youtube.com/channel/UCmZZ2BNGXQH1HPS3uIVnr7A?sub_confirmation=1

Cisco Router Configuration:

configure terminal
interface gigabitEthernet 0/0
no shutdown
ip address dhcp
exit

interface gigabitEthernet 0/1
ip address 192.168.2.1 255.255.255.0
no shutdown
exit

ip dhcp pool mainuser
network 192.168.2.0 /24
default-router 192.168.2.1
dns-server 8.8.8.8
exit

ip route 0.0.0.0 0.0.0.0 192.168.1.1

interface gigabitEthernet 0/0
ip nat outside
exit

interface gigabitEthernet 0/1
ip nat inside
exit

ip access-list standard 1
permit any
exit

ip nat inside source list 1 interface gigabitEthernet 0/0 overload
exit

Applying Dynamic Routing EIGRP in Cisco Router:

router eigrp 10
network 192.168.2.0 255.255.255.0
exit

Configuration in Switch part:

enable
configure terminal
vlan 10
name hr
exit

vlan 20
name it
exit

interface range fastEthernet 0/13-18
switchport mode access
switchport access vlan 10
no shutdown
exit

interface range fastEthernet 0/19-24
switchport mode access
switchport access vlan 20
exit

interface vlan 10
ip address 192.168.3.1 255.255.255.0
exit

interface vlan 20
ip address 192.168.4.1 255.255.255.0
exit

Applying Inter VLAN Routing in Cisco Switch:
configure terminal
ip routing
exit

Applying Static Routing in Cisco Switch to Cisco Default Router:
ip route 0.0.0.0 0.0.0.0 192.168.2.1
exit

Applying Dynamic Routing EIGRP in Cisco Router:

configure terminal
router eigrp 10
network 192.168.3.0 255.255.255.0
network 192.168.4.0 255.255.255.0
network 192.168.2.0 255.255.255.0
exit

https://www.youtube.com/watch?v=-JeubKTW8-w