Apologies if this is posted in the wrong place but I'm just looking for some advice...
I've got a 2811 ISR with a NM-16ESW, the router is connected to my cable modem with it's FastEth 0/0 interface, and there are 2 vlans on the router 10 & 15 each has 8 ports of the ESM assigned to it.
FastEth 0/0 -> Cable modem
FastEth 1/0 - 7 -> Vlan 10
FastEth 1/8 - 15 -> Vlan 15
I'd like to have machines on both vlans to access the internet via the Cable modem but not be able to access the machines on the other vlan. I've managed to get one of the two vlans up so it can access the internet but machines on the second vlan can't ping the router.
Below is sample of the relevant parts of my config;
! interface FastEthernet0/0 ip address 192.168.1.60 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/0 switchport access vlan 10 ! interface FastEthernet1/1 switchport access vlan 10 ! interface FastEthernet1/2 switchport access vlan 10 ! interface FastEthernet1/3 switchport access vlan 10 ! interface FastEthernet1/4 switchport access vlan 10 ! interface FastEthernet1/5 switchport access vlan 10 ! interface FastEthernet1/6 switchport access vlan 10 ! interface FastEthernet1/7 switchport access vlan 10 ! interface FastEthernet1/8 switchport access vlan 15 ! interface FastEthernet1/9 switchport access vlan 15 ! interface FastEthernet1/10 switchport access vlan 15 ! interface FastEthernet1/11 switchport access vlan 15 ! interface FastEthernet1/12 switchport access vlan 15 ! interface FastEthernet1/13 switchport access vlan 15 ! interface FastEthernet1/14 switchport access vlan 15 ! interface FastEthernet1/15 switchport access vlan 15 ! interface Vlan10 ip address 192.168.10.254 255.255.255.0 ! interface Vlan15 ip address 192.168.15.254 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 !
Any help would be greatly appreciated.
Thanks in advance for any replies,
Solved! Go to Solution.
Yes I've confirmed that all machines have the correct IP address configurations, and upon further troubleshooting I have found that while the router itself can ping both the physical interface and one of the vlan interfaces, it can't ping the other vlan interface...
Here is a sample of the ping outputs.
Ping FastEth interface;
Athena#ping 192.168.1.60 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.60, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Ping vlan 10 interface; Athena#ping 192.168.10.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.254, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) ping vlan 15 interface; Athena#ping 192.168.15.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.15.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
There are a couple of moving parts in this; first thing I would do is put the cable modem into bridge mode and let the 2811 do the NAT process. This will simplify the config where you don't have to deal with routing all of your subnets from the cable modem to the 2811.
Once you get the above done this becomes easy; the routes will be built in the 2811 as you add SVI interfaces. In order to prevent one VLAN from accessing the second VLAN you build access list that allow/deny as needed. For instance you will assign an access list to VLAN 15 to give it Internet access but no access to any of the local networks.
ip address 192.168.15.254 255.255.255.0
ip access-group 105 in
access-list 105 deny ip 192.168.15.0 0.0.0.255 192.168.0 0.0.255.255
access-list 105 permit ip any any
To prevent VLAN 10 from accessing VLAN 15 you would add a second access list and assign it to the VLAN 10 interface:
ip address 192.168.10.254 255.255.255.0
ip access-group 106 in
access-list 106 deny ip 192.168.10.0 0.0.0.255 192.168.0 0.0.255.255
access-list 106 permit ip any any
I have also attache a config from an old 2610 with a NME-16 installed, the only difference from the 2811 and this config is that this config uses a WIC-ADSL1 card for the Internet connection rather than an Ethernet interface. You should be able to get the idea from it.
Thanks for the reply, I've given that a go and still no luck...
Looks like no matter what I try one of the vlan interfaces refuses to come up (see below)
Athena#sh ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.60 YES NVRAM up up FastEthernet0/1 unassigned YES NVRAM administratively down down FastEthernet1/0 unassigned YES unset up up ! FastEthernet1/15 unassigned YES unset up up Vlan10 192.168.10.254 YES manual up down Vlan15 192.168.15.254 YES manual up up
No idea why the vlan 10 interface won't come up...