Solved: Re: Network LAN Setup Help

robert prentice · ‎10-10-2010

I have a cisco 891 router, and 3 unmanaged switches that i would like to use to segment my small office network into 3 VLANs groups to help reduce out current bottleneck we are having in our network. From everything i read i should be able to setup 3 VLANs on the router, and pick 3 out of the 8 ports on the router to be switchports for each of the 3 VLANs, and each of the 3 switches would connect to those.

My question is, when i setup the VLAN i cannot access the internet, though the inital VLAN 1 which currenlty has all our office computers sharing 1 switch and 1 VLAN works fine, any ideas? Is segmenting our network via 3 switches and 3 VLANs going to help with overall bandwidth?

My last question is, what are the proper steps to setup each VLAN on the router so i can access the internet with them and achieve the increased bandwidth through segmenting each office group?

I am new to cisco routers, so any help you can give me would be great.

Jon Marshall · ‎10-14-2010

r-prentice wrote:
I think you misunderstood my issue, the router was configured with vlan1 by cisco when i first bought it. Vlan1 works perf
ect. The issue i am having is when i try to add a new Vlan 2 and 3 so i can segment accounting and IT for security reasons, those new vlans cannot connect to the internet, because i am probably not setting up something properly. What i am looking for is can you give me a brief step by step on what i need to make sure is setup to make a new vlan able to get to the internet?
Also how will having 3 Vlans work with DHCP and gateways, do i need to make the IPs static on each computer or how do i tell it to get a DHCP IP from Vlan 2 versus Vlan 1? Should i force the FE ports on the router away from switchport access vlan1 to vlan2 or 3 for the other switches once we setup the new vlans?

Robert

Sincere apologies, i am not representing the Cisco forums very well here !! You are right, i completely misunderstood.

So to add a vlan to the router -

1) to add the actual vlan at L2 it one of 2 (i haven't used 891s for a while so if one doesn't work use the other one)

router(config)# vlan 10

or

router# vlan database

router(vlan-dat)# vlan 10

2) create a L3 interface for the vlan eg.

router(config)# int vlan 10

router(config-if)# ip address 192.168.5.1 255.255.255.0

router9config-if)# ip nat inside

router(config)# no shut

note you may want to add additional config here to emulate your vlan 1 interface, up to you

3) then allocate one or more of the 8 switchports on the 891 into that router eg -

int fa1

switchport mode access

switchport access vlan 10

4) finally update your access-list for NAT -

access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any

As for DHCP just create another pool, the router will know which addresses to hand out based on what interface the DHCP request arrives on.

Try this out and let me know how you get on.

Jon

View solution in original post

Jon Marshall · ‎10-11-2010

r-prentice wrote:

I have a cisco 891 router, and 3 unmanaged switches that i would like to use to segment my small office network into 3 VLANs groups to help reduce out current bottleneck we are having in our network. From everything i read i should be able to setup 3 VLANs on the router, and pick 3 out of the 8 ports on the router to be switchports for each of the 3 VLANs, and each of the 3 switches would connect to those.

My question is, when i setup the VLAN i cannot access the internet, though the inital VLAN 1 which currenlty has all our office computers sharing 1 switch and 1 VLAN works fine, any ideas? Is segmenting our network via 3 switches and 3 VLANs going to help with overall bandwidth?

My last question is, what are the proper steps to setup each VLAN on the router so i can access the internet with them and achieve the increased bandwidth through segmenting each office group?

I am new to cisco routers, so any help you can give me would be great.

Robert

Firstly using vlans will not help increase bandwidth to the internet or bandwidth through the actual router. It may well cut down on broadcasts within your LAN which may help within your LAN but the it will not have a huge affect on your router.

It really depends on where the bottleneck is but if it is the actual internet connection and the amount of traffic going THROUGH the router using vlans won't really help much.

However not trying to dissuade you from trying it out.

Can you post current config of your router (removing any public IPs) with the vlan 1 config and we'll see why that isn't working. Can you also post the current IOS/feature set on your router. If your'e not sure just do this on the router -

router# sh version

and post the result.

Jon

robert prentice · ‎10-11-2010

Thanks for your help. I think ive helped myself on the bandwidth end by spliting up my office on to 3 switches, but still using 1 VLAN. Before we had 16 people using 1 100Mbps link to the router which was at times getting maxed. Now i have it split across 3. But for security reasons with accounting and such i still want to setup 3 vlans. Here is the version information on the router:

Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 12.4(22)YB, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 27-Jan-09 02:48 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB3, RELEASE SOFTWARE (fc1)

yourname uptime is 3 days, 5 hours, 24 minutes
System returned to ROM by reload at 10:18:03 PCTime Fri Oct 8 2010
System image file is "flash:c890-universalk9-mz.124-22.YB.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 891 (MPC8300) processor (revision 1.0) with 498688K/25600K bytes of memory.
Processor board ID FTX134680PV

9 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
1 terminal line
256K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)

License Information for 'c890'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices

Configuration register is 0x2102

Current configuration : 12609 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 ***********************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2084037767
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2084037767
revocation-check none
rsakeypair TP-self-signed-2084037767
!
!
crypto pki certificate chain TP-self-signed-2084037767
certificate self-signed 01
************************************************
        quit
no ip source-route
!
!
!
ip dhcp pool data-vlan-10
   import all
   network 10.10.10.0 255.255.255.0
   dns-server *****************(OUTSIDE IP)
   default-router 10.10.10.1
!
!
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server *****************(OUTSIDE IP)
ip name-server *****************(OUTSIDE IP)
ip port-map user-protocol--1 port tcp 3389
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Everyone
key *********
!
crypto isakmp client configuration group user
key **********
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ctcp port 10000
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2

!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 103
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any CCP-Voice-1
match dscp ef
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map match-any CCP-Management-1
match dscp cs2
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
    priority percent 33
class CCP-Signaling-1
    bandwidth percent 5
class CCP-Routing-1
    bandwidth percent 5
class CCP-Management-1
    bandwidth percent 5
class CCP-Transactional-1
    bandwidth percent 5
class class-default
    fair-queue
     random-detect
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface Loopback0
description Do not delete - SDM WebVPN generated interface
ip address 192.168.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address *****************(OUTSIDE IP) 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex full
speed 100
snmp trap ip verify drop-rate
service-policy output CCP-QoS-Policy-1
!
interface GigabitEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool SDM_POOL_1 10.10.10.50 10.10.10.60
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 *****************(OUTSIDE IP) 2
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 6000
!
ip nat inside source list 100 interface FastEthernet8 overload
ip nat inside source static tcp 10.10.10.71 3389 interface FastEthernet8 3389
ip nat inside source static tcp 192.168.1.1 443 *****************(OUTSIDE IP) 4443 extendable
!
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
!
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip**********************(OUTSIDE IP) 0.0.0.7 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.10.71
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip any host *****************(OUTSIDE IP)

no cdp run

!
!
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username privilege 15 secret 0
no username cisco

Replace and with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
transport output telnet
Replace and with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway gateway_1
ip address 72.242.1.187 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2084037767
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn install csd flash:/webvpn/sdesktop.pkg
!
webvpn context VPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   svc address-pool "SDM_POOL_1"
   svc keep-client-installed
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_3
gateway gateway_1 domain pwvpn
inservice
!
end

So thats the config right now, i have not added the vlans yet, because when i did it shutdown all our network, so i went back to our working config. So if you can tell me what steps i need to setup the vlans that would be great. I need to start another thread about VPNS, cause i cant get our VPN working either but thats another story

robert prentice · ‎10-13-2010

Any ideas based on what i posted?

Jon Marshall · ‎10-14-2010

Robert

Apologies, i missed your reply.

So the vlan 1 clients, can they -

1) ping their vlan 1 interface IP on the router

2) ping the fa0/8 iinterface IP address

It looks like you are using ZBFW (Zone Based Firewalling) which i have never used so i need to have a read up on that, hopefully today, but first can you confirm above tests.

Jon

robert prentice · ‎10-14-2010

Yes vlan1 can ping 10.10.10.1 and ***.***.**.*** for the gateway address on fe8.

Jon Marshall · ‎10-14-2010

From vlan 1 device can you ping the default-gateway of the router ie.

ip route 0.0.0.0 0.0.0.0 *****************(OUTSIDE IP) 2

if you can try pinging this address and let me know - 64.102.255.44

Jon

robert prentice · ‎10-14-2010

Yes i can ping that address too from a computer on the vlan 1 interface

Jon Marshall · ‎10-14-2010

Robert

If you can ping the IP address then it looks like routing etc. is working. If however you cannot access web sites etc. then i suspect either -

1) you are blocking http access

2) more likely it is a DNS issue

On a client on vlan 1 can you check the DNS settings to see if it has a DNS server it can resolve IPs to. You could also try this from a command prompt (assuming windows OS) -

nslookup www.cisco.com

and see if you get a response.

Jon

robert prentice · ‎10-14-2010

I think you misunderstood my issue, the router was configured with vlan1 by cisco when i first bought it. Vlan1 works perf

ect. The issue i am having is when i try to add a new Vlan 2 and 3 so i can segment accounting and IT for security reasons, those new vlans cannot connect to the internet, because i am probably not setting up something properly. What i am looking for is can you give me a brief step by step on what i need to make sure is setup to make a new vlan able to get to the internet?

Also how will having 3 Vlans work with DHCP and gateways, do i need to make the IPs static on each computer or how do i tell it to get a DHCP IP from Vlan 2 versus Vlan 1? Should i force the FE ports on the router away from switchport access vlan1 to vlan2 or 3 for the other switches once we setup the new vlans?

Jon Marshall · ‎10-14-2010

r-prentice wrote:
I think you misunderstood my issue, the router was configured with vlan1 by cisco when i first bought it. Vlan1 works perf
ect. The issue i am having is when i try to add a new Vlan 2 and 3 so i can segment accounting and IT for security reasons, those new vlans cannot connect to the internet, because i am probably not setting up something properly. What i am looking for is can you give me a brief step by step on what i need to make sure is setup to make a new vlan able to get to the internet?
Also how will having 3 Vlans work with DHCP and gateways, do i need to make the IPs static on each computer or how do i tell it to get a DHCP IP from Vlan 2 versus Vlan 1? Should i force the FE ports on the router away from switchport access vlan1 to vlan2 or 3 for the other switches once we setup the new vlans?

Robert

Sincere apologies, i am not representing the Cisco forums very well here !! You are right, i completely misunderstood.

So to add a vlan to the router -

1) to add the actual vlan at L2 it one of 2 (i haven't used 891s for a while so if one doesn't work use the other one)

router(config)# vlan 10

or

router# vlan database

router(vlan-dat)# vlan 10

2) create a L3 interface for the vlan eg.

router(config)# int vlan 10

router(config-if)# ip address 192.168.5.1 255.255.255.0

router9config-if)# ip nat inside

router(config)# no shut

note you may want to add additional config here to emulate your vlan 1 interface, up to you

3) then allocate one or more of the 8 switchports on the 891 into that router eg -

int fa1

switchport mode access

switchport access vlan 10

4) finally update your access-list for NAT -

access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any

As for DHCP just create another pool, the router will know which addresses to hand out based on what interface the DHCP request arrives on.

Try this out and let me know how you get on.

Jon

robert prentice · ‎10-14-2010

Awesome that works! I realized with your steps what i missed before. I had the nat access

for the new ip range i made 10.10.20.0 but never put in 10.10.10.0 so i would have access to the vlan1 group and once i added the firewall statement to the interface config it worked. Thanks so much for your help

robert prentice · ‎10-14-2010

I do have one other question, if i wanted the vlan1 to access a single computer on the new vlan 10 (a server for internal use), what

command do i put into the router to allow that?

Jon Marshall · ‎10-14-2010

r-prentice wrote:

I do have one other question, if i wanted the vlan1 to access a single computer on the new vlan 10 (a server for internal use), what

command do i put into the router to allow that?

Robert

vlan 1 and vlan 10 are directly connected interfaces so clients within those vlans should be able to communciate with each other without having to do anything.

Are you saying they can't or are you asking how to limit the traffic between the vlans ?

Jon

robert prentice · ‎10-14-2010

Correct they use to access it using the computers name "robertspc" and now that url wont work.

Any thoughts?