cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1678
Views
0
Helpful
8
Replies

InterVlan Routing -ISR with ESM

Hi guys, 

 

Apologies if this is posted in the wrong place but I'm just looking for some advice...

I've got a 2811 ISR with a NM-16ESW, the router is connected to my cable modem with it's FastEth 0/0 interface, and there are 2 vlans on the router 10 & 15 each has 8 ports of the ESM assigned to it.

 

FastEth 0/0         -> Cable modem

FastEth 1/0 - 7   -> Vlan 10

FastEth 1/8 - 15 -> Vlan 15

 

I'd like to have machines on both vlans to access the internet via the Cable modem but not be able to access the machines on the other vlan. I've managed to get one of the two vlans up so it can access the internet but machines on the second vlan can't ping the router.

 

Below is sample of the relevant parts of my config;

!
interface FastEthernet0/0
 ip address 192.168.1.60 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 switchport access vlan 10
!
interface FastEthernet1/1
 switchport access vlan 10
!
interface FastEthernet1/2
 switchport access vlan 10
!
interface FastEthernet1/3
 switchport access vlan 10
!
interface FastEthernet1/4
 switchport access vlan 10
!
interface FastEthernet1/5
 switchport access vlan 10
!
interface FastEthernet1/6
 switchport access vlan 10
!
interface FastEthernet1/7
 switchport access vlan 10
!
interface FastEthernet1/8
 switchport access vlan 15
!
interface FastEthernet1/9
 switchport access vlan 15
!
interface FastEthernet1/10
 switchport access vlan 15
!
interface FastEthernet1/11
 switchport access vlan 15
!
interface FastEthernet1/12
 switchport access vlan 15
!
interface FastEthernet1/13
 switchport access vlan 15
!
interface FastEthernet1/14
 switchport access vlan 15
!
interface FastEthernet1/15
 switchport access vlan 15
!
interface Vlan10
 ip address 192.168.10.254 255.255.255.0
!
interface Vlan15
 ip address 192.168.15.254 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!


Any help would be greatly appreciated.

 

Thanks in advance for any replies,

    Yanni

1 Accepted Solution

Accepted Solutions

Hi guys,

 

Looks like I've fixed it now...

So as a last ditch effort I wiped my configuration and rebuilt from scratch, and well now it all works.

 

 

Thanks for all the suggestions and thank you guys for your time!

View solution in original post

8 Replies 8

Hi

Your configuration looks fine at simple sight, have you verified if the computers are using the proper gateway IP (SVI IP on ther router)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi there,

 

Yes I've confirmed that all machines have the correct IP address configurations, and upon further troubleshooting I have found that while the router itself can ping both the physical interface and one of the vlan interfaces, it can't ping the other vlan interface... 

Here is a sample of the ping outputs.

 

Ping FastEth interface;
Athena#ping 192.168.1.60 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.60, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Ping vlan 10 interface; Athena#ping 192.168.10.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.254, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) ping vlan 15 interface; Athena#ping 192.168.15.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.15.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

 

On the switch module did you run the command...

ip routing

 

I think that needs to configured on that module. I will double check because it has been awhile using that module.

 

Mike

Hey Mike, 

 

not too sure how to configure the module directly, could you clarify what you mean by this? 

 

 

-Yanni

I think for clarity I'd better describe what I'm going for as I've found multiple articles online that aren't too helpful :/


What I'm going for is basically a router on a stick type config but instead of using another switch, using the NM-16ESW instead....

I hope that makes sense....

Sam Smiley
Level 3
Level 3

There are a couple of moving parts in this; first thing I would do is put the cable modem into bridge mode and let the 2811 do the NAT process. This will simplify the config where you don't have to deal with routing all of your subnets from the cable modem to the 2811.

 

Once you get the above done this becomes easy; the routes will be built in the 2811 as you add SVI interfaces. In order to prevent one VLAN from accessing the second VLAN you build access list that allow/deny as needed. For instance you will assign an access list to  VLAN 15 to give it Internet access but no access to any of the local networks.

 

interface Vlan15
 ip address 192.168.15.254 255.255.255.0
 ip access-group 105 in

 

access-list 105 deny   ip 192.168.15.0 0.0.0.255 192.168.0 0.0.255.255
access-list 105 permit ip any any

 

To prevent VLAN 10 from accessing VLAN 15 you would add a second access list and assign it to the VLAN 10 interface:

 

interface Vlan10
 ip address 192.168.10.254 255.255.255.0
 ip access-group 106 in

 

access-list 106 deny   ip 192.168.10.0 0.0.0.255 192.168.0 0.0.255.255
access-list 106 permit ip any any

 

I have also attache a config from an old 2610 with a NME-16 installed, the only difference from the 2811 and this config is that this config uses a WIC-ADSL1 card for the Internet connection rather than an Ethernet interface. You should be able to get the idea from it.

Hey,

 

Thanks for the reply, I've given that a go and still no luck...

Looks like no matter what I try one of the vlan interfaces refuses to come up (see below)

Athena#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.60    YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
FastEthernet1/0            unassigned      YES unset  up                    up
!
FastEthernet1/15           unassigned      YES unset  up                    up
Vlan10                     192.168.10.254  YES manual up                    down
Vlan15                     192.168.15.254  YES manual up                    up

No idea why the vlan 10 interface won't come up...

 

Any ideas? 

 

Thanks guys

Hi guys,

 

Looks like I've fixed it now...

So as a last ditch effort I wiped my configuration and rebuilt from scratch, and well now it all works.

 

 

Thanks for all the suggestions and thank you guys for your time!

Review Cisco Networking for a $25 gift card