05-30-2013 03:51 PM - edited 03-07-2019 01:39 PM
Hi,
I have a relatively straight forward question and was hoping to get some guidance or perhaps a solution.
I currently have a 887VA-W sitting on 192.168.2.2 VLAN ID 1 network for my core network, purely for internet routing.
I am building a new server environment which sits on a VLAN 192.168.200.0/24 VLAN ID 200.
The idea is to move the router from 192.168.2.2 to 192.168.200.2 and have internet capabilities on both VLAN's using the routers IP address on its relevant VLAN gateway interfaces and purely have VLAN ID 1 only for desktop clients.
So I want the following:
1) VLAN ID 1 192.168.2.0/24 to be able to access internet using the interface address for VLAN 1 192.168.2.2
2) VLAN ID 200 192.168.200.0/24 to be able to access internet using the interface address for VLAN 200 192.168.200.2
While still maintaining the capability of performing Inter-VLAN routing between both the interfaces.
So here is what my current configuration looks like at present, albeit missing the ideal VLAN configuration, hoping this is where I can get some assistance from you. I’ll dump the config, hopefully someone could be kind enough to mark-up the changes for me.
Many Thanks Guys…
Current configuration : 8830 bytes
!
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname internet-gateway01
!
boot-start-marker
boot-end-marker
!
!
logging buffered informational
no logging console
!
aaa new-model
!
aaa session-id common
clock timezone UTC 10 0
crypto pki token default removal timeout 0
!
ip source-route
ip cef
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool guest-internet
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.1
default-router 10.10.10.1
!
!
ip domain name mydomain.com
ip name-server 192.168.2.15
ip name-server 192.168.2.16
ip name-server 8.8.8.8
no ipv6 cef
!
controller VDSL 0
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.2.2 255.255.255.0
ip access-group vlan-control in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
description Guest-Vlan
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description ADSL WAN Dialer
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip access-group dialer-acl in
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx@xxx.com
ppp chap password 0 xxx
ppp pap sent-username xxx@xxx.com password 0 xxx
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list internal-nat-list interface Dialer1 overload
ip nat inside source static tcp 192.168.2.35 25 interface Dialer1 25
ip nat inside source static tcp 192.168.2.35 443 interface Dialer1 443
ip nat inside source static tcp 192.168.2.100 80 interface Dialer1 8008
ip nat inside source static tcp 192.168.2.36 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.2.36 47 interface Dialer1 47
ip route 192.168.3.0 255.255.255.0 192.168.2.1 10 permanent name ben-route
ip route 192.168.5.0 255.255.255.0 192.168.2.1 10 permanent name cam-route
ip route 192.168.6.0 255.255.255.0 192.168.2.1 10 permanent name nor-route
ip route 192.168.7.0 255.255.255.0 192.168.2.1 10 permanent name wireless-vpn-route
ip route 192.168.10.0 255.255.255.0 192.168.2.1 10 permanent name bri-route
ip route 192.168.11.0 255.255.255.0 192.168.2.1 10 permanent name wig-route
ip route 192.168.12.0 255.255.255.0 192.168.2.1 10 permanent name newe-route
ip route 192.168.100.0 255.255.255.0 192.168.2.1 10 permanent name wireless-framed-route
ip route 192.168.200.0 255.255.255.0 192.168.2.1 10 permanent name vlan200
!
ip access-list extended dialer-acl
-- removed to simplify readability --
ip access-list extended internal-nat-list
permit ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 192.168.200.0 0.0.0.255 any
ip access-list extended terminal-acl
permit tcp host 192.168.2.166 any eq telnet log
permit tcp any any eq 22 log
permit tcp 192.168.2.0 0.0.0.255 any eq telnet log
permit tcp 192.168.7.0 0.0.0.255 any eq telnet log
deny tcp any any log
ip access-list extended vlan-control
deny ip 202.7.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
logging trap debugging
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class terminal-acl in
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 3.pool.ntp.org
ntp server 2.pool.ntp.org
ntp server 1.pool.ntp.org
ntp server 0.pool.ntp.org
end
Solved! Go to Solution.
05-30-2013 07:13 PM
HI Ekdin,
This is what you need to be configured.
interface Vlan200
description New
ip address 192.168.200.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
Your NAT acl laready have 192l168.200.x network and hence you dont need any modification in there.
Hope that helps.
Regards
NAjaf
Please rate when applicable or helpful !!!
05-30-2013 07:42 PM
Hi,
Assuming this router is connected to a layer-2 switch. You need to have a trunk between the router and the switch, so it can carry vlan 1 and the new vlan (200). You also need to create vlan 200 on the layer-2 switch. Najaf already provided the SVI config for the router.
Also, the router with route between vlan 1 and 200 for you.
verify all that is working by putting a PC/laptop in vlan 200 and one laptop in vlan 1. Ping from one laptop to another.
HTH
05-30-2013 08:00 PM
HI Eldin,
Two ways you can configure this depneding on your physical setup.
1) Configure the router interface as trunk. i.e.
interface FastEthernet0
switchport mode trunk
Connect L2 switch to this port and configure the switch port also trunk port. Logic here is that trunk port carried all vlans and hence multiple vlans (vlan 2, 200 etc...) passes over the same link. Since we are creating SVI interface you dont have to specificy any encapsulations on the interface.Also you need to ensure that you relavent L2 vlans on the switchs like Reza mentioned.
2) Configure the router interface as access port
interface FastEthernet2
switchport access vlan 200
!
interface FastEthernet3
switchport access vlan 2 (Your as is configuration)
With this configuration you can connect a new switch to port Fas 2 of the router and configure the switch port as access port for vlan 200 and connect all the new server environment devices which you are going tto build to this switch. Here also you dont need any encapsulation configurations on the interface.
Hope that helps.
Regards
Najaf
Please rate when applicable or helpful !!!
05-30-2013 06:51 PM
The config looks good. What is not working?
The port on the router for vlan 2 is connected to the switch in vlan 2 correct?
Sent from Cisco Technical Support Android App
05-30-2013 06:54 PM
Hi Collin,
Thanks for your reply.
That is an existing VLAN for our wireless access port: VLAN ID 2.
I am referring to creating a new VLAN "200", not the existing VLAN "2" configuration.
Thanks mate.
05-30-2013 07:13 PM
HI Ekdin,
This is what you need to be configured.
interface Vlan200
description New
ip address 192.168.200.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
Your NAT acl laready have 192l168.200.x network and hence you dont need any modification in there.
Hope that helps.
Regards
NAjaf
Please rate when applicable or helpful !!!
05-30-2013 07:26 PM
Hi Najaf,
Thank you.
Once I have created VLAN 200, do I add it via an interface (then physically connect it to the switch and configure that connected port as trunk or access) or do I do it via a sub interface? Sorry just trying to understand it all.
Do I need to add dot1q encapsulation to that interface also? One further question, will it be a trunk or acccess port?
Cheers Najaf.
Appreciate your response buddy.
05-30-2013 07:42 PM
Hi,
Assuming this router is connected to a layer-2 switch. You need to have a trunk between the router and the switch, so it can carry vlan 1 and the new vlan (200). You also need to create vlan 200 on the layer-2 switch. Najaf already provided the SVI config for the router.
Also, the router with route between vlan 1 and 200 for you.
verify all that is working by putting a PC/laptop in vlan 200 and one laptop in vlan 1. Ping from one laptop to another.
HTH
05-30-2013 08:00 PM
HI Eldin,
Two ways you can configure this depneding on your physical setup.
1) Configure the router interface as trunk. i.e.
interface FastEthernet0
switchport mode trunk
Connect L2 switch to this port and configure the switch port also trunk port. Logic here is that trunk port carried all vlans and hence multiple vlans (vlan 2, 200 etc...) passes over the same link. Since we are creating SVI interface you dont have to specificy any encapsulations on the interface.Also you need to ensure that you relavent L2 vlans on the switchs like Reza mentioned.
2) Configure the router interface as access port
interface FastEthernet2
switchport access vlan 200
!
interface FastEthernet3
switchport access vlan 2 (Your as is configuration)
With this configuration you can connect a new switch to port Fas 2 of the router and configure the switch port as access port for vlan 200 and connect all the new server environment devices which you are going tto build to this switch. Here also you dont need any encapsulation configurations on the interface.
Hope that helps.
Regards
Najaf
Please rate when applicable or helpful !!!
05-30-2013 09:41 PM
Thanks Guys.
Working great now. So much more easier when you got the know how.
Big props to you guys. Made my weekend that much better.
05-30-2013 10:08 PM
Hi Eldin,
Thanks for marking this as answered. Good to hear that things are working as expected. Do come to these forums with more challenging issues like this :-)
Regards
Najaf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide