Solved: Inter-VLAN Internet Routing

eldin.didic · ‎05-30-2013

Hi,

I have a relatively straight forward question and was hoping to get some guidance or perhaps a solution.

I currently have a 887VA-W sitting on 192.168.2.2 VLAN ID 1 network for my core network, purely for internet routing.

I am building a new server environment which sits on a VLAN 192.168.200.0/24 VLAN ID 200.

The idea is to move the router from 192.168.2.2 to 192.168.200.2 and have internet capabilities on both VLAN's using the routers IP address on its relevant VLAN gateway interfaces and purely have VLAN ID 1 only for desktop clients.

So I want the following:

1) VLAN ID 1 192.168.2.0/24 to be able to access internet using the interface address for VLAN 1 192.168.2.2

2) VLAN ID 200 192.168.200.0/24 to be able to access internet using the interface address for VLAN 200 192.168.200.2

While still maintaining the capability of performing Inter-VLAN routing between both the interfaces.

So here is what my current configuration looks like at present, albeit missing the ideal VLAN configuration, hoping this is where I can get some assistance from you. I’ll dump the config, hopefully someone could be kind enough to mark-up the changes for me.

Many Thanks Guys…

Current configuration : 8830 bytes

!

! No configuration change since last restart

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname internet-gateway01

!

boot-start-marker

boot-end-marker

!

logging buffered informational

no logging console

!

aaa new-model

!

aaa session-id common

clock timezone UTC 10 0

crypto pki token default removal timeout 0

!

ip source-route

ip cef

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool guest-internet

network 10.10.10.0 255.255.255.0

dns-server 10.10.10.1

default-router 10.10.10.1

!

ip domain name mydomain.com

ip name-server 192.168.2.15

ip name-server 192.168.2.16

ip name-server 8.8.8.8

no ipv6 cef

!

controller VDSL 0

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

ip flow ingress

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

switchport access vlan 2

no ip address

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan2

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.2.2 255.255.255.0

ip access-group vlan-control in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan2

description Guest-Vlan

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

!

interface Dialer1

description ADSL WAN Dialer

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group dialer-acl in

no ip redirects

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxx@xxx.com

ppp chap password 0 xxx

ppp pap sent-username xxx@xxx.com password 0 xxx

ppp ipcp route default

no cdp enable

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat inside source list internal-nat-list interface Dialer1 overload

ip nat inside source static tcp 192.168.2.35 25 interface Dialer1 25

ip nat inside source static tcp 192.168.2.35 443 interface Dialer1 443

ip nat inside source static tcp 192.168.2.100 80 interface Dialer1 8008

ip nat inside source static tcp 192.168.2.36 1723 interface Dialer1 1723

ip nat inside source static tcp 192.168.2.36 47 interface Dialer1 47

ip route 192.168.3.0 255.255.255.0 192.168.2.1 10 permanent name ben-route

ip route 192.168.5.0 255.255.255.0 192.168.2.1 10 permanent name cam-route

ip route 192.168.6.0 255.255.255.0 192.168.2.1 10 permanent name nor-route

ip route 192.168.7.0 255.255.255.0 192.168.2.1 10 permanent name wireless-vpn-route

ip route 192.168.10.0 255.255.255.0 192.168.2.1 10 permanent name bri-route

ip route 192.168.11.0 255.255.255.0 192.168.2.1 10 permanent name wig-route

ip route 192.168.12.0 255.255.255.0 192.168.2.1 10 permanent name newe-route

ip route 192.168.100.0 255.255.255.0 192.168.2.1 10 permanent name wireless-framed-route

ip route 192.168.200.0 255.255.255.0 192.168.2.1 10 permanent name vlan200

!

ip access-list extended dialer-acl

-- removed to simplify readability --

ip access-list extended internal-nat-list

permit ip 192.168.2.0 0.0.0.255 any

permit ip 10.10.10.0 0.0.0.255 any

permit ip 192.168.200.0 0.0.0.255 any

ip access-list extended terminal-acl

permit tcp host 192.168.2.166 any eq telnet log

permit tcp any any eq 22 log

permit tcp 192.168.2.0 0.0.0.255 any eq telnet log

permit tcp 192.168.7.0 0.0.0.255 any eq telnet log

deny tcp any any log

ip access-list extended vlan-control

deny ip 202.7.0.0 0.0.255.255 any

deny ip host 255.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

permit ip any any

!

logging trap debugging

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 0 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line vty 0 4

access-class terminal-acl in

exec-timeout 0 0

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 3.pool.ntp.org

ntp server 2.pool.ntp.org

ntp server 1.pool.ntp.org

ntp server 0.pool.ntp.org

end

kcnajaf · ‎05-30-2013

HI Ekdin,

This is what you need to be configured.

interface Vlan200

description New

ip address 192.168.200.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

Your NAT acl laready have 192l168.200.x network and hence you dont need any modification in there.

Hope that helps.

Regards

NAjaf

Please rate when applicable or helpful !!!

View solution in original post

Reza Sharifi · ‎05-30-2013

Hi,

Assuming this router is connected to a layer-2 switch. You need to have a trunk between the router and the switch, so it can carry vlan 1 and the new vlan (200). You also need to create vlan 200 on the layer-2 switch. Najaf already provided the SVI config for the router.

Also, the router with route between vlan 1 and 200 for you.

verify all that is working by putting a PC/laptop in vlan 200 and one laptop in vlan 1. Ping from one laptop to another.

HTH

View solution in original post

kcnajaf · ‎05-30-2013

HI Eldin,

Two ways you can configure this depneding on your physical setup.

1) Configure the router interface as trunk. i.e.

interface FastEthernet0

switchport mode trunk

Connect L2 switch to this port and configure the switch port also trunk port. Logic here is that trunk port carried all vlans and hence multiple vlans (vlan 2, 200 etc...) passes over the same link. Since we are creating SVI interface you dont have to specificy any encapsulations on the interface.Also you need to ensure that you relavent L2 vlans on the switchs like Reza mentioned.

2) Configure the router interface as access port

interface FastEthernet2

switchport access vlan 200

!

interface FastEthernet3

switchport access vlan 2 (Your as is configuration)

With this configuration you can connect a new switch to port Fas 2 of the router and configure the switch port as access port for vlan 200 and connect all the new server environment devices which you are going tto build to this switch. Here also you dont need any encapsulation configurations on the interface.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

Collin Clark · ‎05-30-2013

The config looks good. What is not working?

The port on the router for vlan 2 is connected to the switch in vlan 2 correct?

Sent from Cisco Technical Support Android App

eldin.didic · ‎05-30-2013

Hi Collin,

Thanks for your reply.

That is an existing VLAN for our wireless access port: VLAN ID 2.

I am referring to creating a new VLAN "200", not the existing VLAN "2" configuration.

Thanks mate.

kcnajaf · ‎05-30-2013

HI Ekdin,

This is what you need to be configured.

interface Vlan200

description New

ip address 192.168.200.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

Your NAT acl laready have 192l168.200.x network and hence you dont need any modification in there.

Hope that helps.

Regards

NAjaf

Please rate when applicable or helpful !!!

eldin.didic · ‎05-30-2013

Hi Najaf,

Thank you.

Once I have created VLAN 200, do I add it via an interface (then physically connect it to the switch and configure that connected port as trunk or access) or do I do it via a sub interface? Sorry just trying to understand it all.

Do I need to add dot1q encapsulation to that interface also? One further question, will it be a trunk or acccess port?

Cheers Najaf.

Appreciate your response buddy.

Reza Sharifi · ‎05-30-2013

Hi,

Assuming this router is connected to a layer-2 switch. You need to have a trunk between the router and the switch, so it can carry vlan 1 and the new vlan (200). You also need to create vlan 200 on the layer-2 switch. Najaf already provided the SVI config for the router.

Also, the router with route between vlan 1 and 200 for you.

verify all that is working by putting a PC/laptop in vlan 200 and one laptop in vlan 1. Ping from one laptop to another.

HTH

kcnajaf · ‎05-30-2013

HI Eldin,

Two ways you can configure this depneding on your physical setup.

1) Configure the router interface as trunk. i.e.

interface FastEthernet0

switchport mode trunk

Connect L2 switch to this port and configure the switch port also trunk port. Logic here is that trunk port carried all vlans and hence multiple vlans (vlan 2, 200 etc...) passes over the same link. Since we are creating SVI interface you dont have to specificy any encapsulations on the interface.Also you need to ensure that you relavent L2 vlans on the switchs like Reza mentioned.

2) Configure the router interface as access port

interface FastEthernet2

switchport access vlan 200

!

interface FastEthernet3

switchport access vlan 2 (Your as is configuration)

With this configuration you can connect a new switch to port Fas 2 of the router and configure the switch port as access port for vlan 200 and connect all the new server environment devices which you are going tto build to this switch. Here also you dont need any encapsulation configurations on the interface.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

eldin.didic · ‎05-30-2013

Thanks Guys.

Working great now. So much more easier when you got the know how.

Big props to you guys. Made my weekend that much better.

kcnajaf · ‎05-30-2013

Hi Eldin,

Thanks for marking this as answered. Good to hear that things are working as expected. Do come to these forums with more challenging issues like this :-)

Regards

Najaf