Solved: Inter-VLAN routing on Cisco 881 question

marks-alpac · ‎01-07-2012

Since my inside network is connected through the 881 switchport module, do I configure inter-vlan routing on the wan interface using subinterfaces? Do I need to do anything else? Is there anything I should know? Do I need to configure inter-vlan routing in a different way?

Please help.

Thanks.

Reza Sharifi · ‎01-08-2012

Correct, the router will route between the SVIs

And yes, you put ACL on the SVIs to prevent them from communication with each other. But before you do that make sure everything is working. Leave the ACLs for the end.

HTH

View solution in original post

Reza Sharifi · ‎01-07-2012

Not on the WAN interface. You need to configure the LAN side with sub-interface for each vlan and use .1Q for trunking.

can you post :sh run"?

HTH

marks-alpac · ‎01-08-2012

Reza Sharifi wrote:

Not on the WAN interface. You need to configure the LAN side with sub-interface for each vlan and use .1Q for trunking.

All of the LAN interfaces on an 881 are layer 2 interfaces. Is there a way to promote one to layer 3? I do have one LAN interface configured as a trunk port. But I can't add sub-interfaces to that interface, as it is a layer 2 interface.

Here's a snipit of my show run (so far):

version 15.0

!

no aaa new-model

memory-size iomem 10

!

ip source-route

ip cef

no ipv6 cef

!

interface FastEthernet0

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

interface FastEthernet4.1

!

interface FastEthernet4.20

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

control-plane

!

end

Please help. Thanks!

Reza Sharifi · ‎01-08-2012

I only see one vlan in your config (vlan1). If this is the case that means all your switch ports where your PC/Printer, etc.. are connected need to be added to vlan 1. So you don't need to .1q trunking. Just add your interfaces to vlan 1.

Example:

interface FastEthernet2

description LAN printer

switchport access vlan 1

interface FastEthernet3

description LAN PC1

switchport access vlan 1

HTH

marks-alpac · ‎01-08-2012

That will not work.

I have not created the other vlans yet. I will have vlan 10, 20, 30, 40, 50, 60, 99, and 200 when I am done.

Fa0 and Fa1 will be trunk ports to switches. Each of those switches will have a variation of access ports, as well as one other trunk port (each) to a wireless AP.

Fa4 will be my WAN port.

Thank you for helping out. From the reading I've been doing, it looks like I need to do something with the VLAN SVI interfaces in order to enable inter-vlan routing. Is this correct? What needs to be done?

Please help. Thank you!

Leo Laohoo · ‎01-08-2012

I will have vlan 10, 20, 30, 40, 50, 60, 99, and 200 when I am done.

Just remember that the 860 can support up to 8 VLANs (with VLAN1 as one of them).

marks-alpac · ‎01-08-2012

Here is a more recent show run:

version 15.0

!

no aaa new-model

memory-size iomem 10

!

ip source-route

ip cef

no ipv6 cef

!

interface FastEthernet0

switchport mode trunk

!

interface FastEthernet1

switchport mode trunk

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 10.10.10.3 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet4.1

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

!

interface Vlan30

ip address 192.168.30.1 255.255.255.0

!

interface Vlan40

ip address 192.168.40.1 255.255.255.0

!

interface Vlan50

ip address 192.168.50.1 255.255.255.0

!

ip forward-protocol nd

ip http server

ip http secure-server

!

control-plane

!

end

Please help. Thank you!

Reza Sharifi · ‎01-08-2012

You already have all your SVI interfaces. For example :

interface Vlan1

ip address 192.168.2.1 255.255.255.0

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

....

These are all called SVI interface. If you need to trunk fa0 and fa1, then simply under each interface issue:

example

config t

interfa fa0

switchport trunk encapsulation dot1q

switchport mode trunk

This vlan allow all your vlans on the trunk ports

HTH

marks-alpac · ‎01-08-2012

Is this all I need for inter-vlan routing then? If I assign these SVI IPs as the default gateway on my hosts, I will be able to communicate between vlans/subnets?

If I want to assign ACLs on the router to control inter-vlan traffic, I would apply those ACLs to these SVIs, correct?

Thank you!

Reza Sharifi · ‎01-08-2012

Correct, the router will route between the SVIs

And yes, you put ACL on the SVIs to prevent them from communication with each other. But before you do that make sure everything is working. Leave the ACLs for the end.

HTH

marks-alpac · ‎01-08-2012

Thank you!

You have answered all my questions.

My problem was that this method of intervlan routing (SVIs) is CCNP level (discussed as Layer 3 switching), while I am only CCNA level. Only router-on-a-stick is discussed in the CCNA books. 800 series routers do not support router on a stick, as they instead work like layer 3 switches.

Once again, thank you!

ArchiTech89 · ‎08-02-2013

I had the same issue with an 876 -- I was looking for where to create the subinterfaces as well.

After a bit of testing, it seems that to do NAT (actually PAT via/overload), one will have to add to each of the int vlan xx (SVIs?) an ip nat inside command. Does that sound right to anyone with a bit more experience?

Regards,

jeremyNLSO
CCNA, MCITP
Berlin, Germany

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany