Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3607
Views
8
Helpful
6
Replies

ROUTER ON A STICK + INTERNET

Go to solution
Didier Ribbens
Level 1
Level 1

‎12-27-2012 11:32 AM - edited ‎03-07-2019 10:48 AM

Hello,

After some theory in NETACAD I decide to do some hands-on on some (small) real stuff

In case of some other newbies are looking for some some full working router on a stick with DHCP and INTERNET and VLANS.

The configuration is as follow :

On the router I have some unconfigured ports(4,5,6,7,8) (vlan 1) on this port I connect directly the WAN (INTERNET) from my provider.

On the G0/1 port I use this as TRUNK to the ROUTER.

The idea is to make 3 VLANS : VLAN 10,20,30 respectively 192.168.10.0 , 192.168.20.0 and 192.168.30.0.

To increase a little bit the difficulty I have changed the native vlan to vlan 99

To be able to configure the switch from the router or the router from the switch , I have give the Router a IP Address : 192.168.99.1 /24 and the Switch a IP Address : 192.168.99.250 /24

On the Router side the Trunk come in at Interface 4.

Has I say earlier this configuration works using the NATIVE VLAN 99 , my question is :

Why does it still work when I shutdown Interface 4.99 ?

Is the VLAN setup and configuration between a ROUTER and a SWITCH ONLY on LAYER 2 ?

Sorry for this newbie question , I have just start my CCNA education in September

A other small question :

How can I use the Interfaces 1,2,3 on the router ?

I would like to have respectively on the router side :

Interface 1 = VLAN 10

Interface 2 = VLAN 20

Interface 3 = VLAN 30

SWITCH 2940:

version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
!
username admin privilege 15 secret 5 $1$ia2K$RGqJU.ktvf5GS3nr1VyqK0
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 spanning-tree portfast
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
 switchport trunk native vlan 99
 switchport mode trunk
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan99
 ip address 192.168.99.250 255.255.255.0
 no ip route-cache
!
ip http server
!
line con 0
 speed 115200
line vty 0 4
 privilege level 15
 password 7 030752180500
 login local
 transport input telnet
line vty 5 15
 password 7 14141B180F0B
 login
!
ntp clock-period 17179814
ntp server 192.168.99.1
!
end

ROUTER CISCO 881

!
! Last configuration change at 18:51:00 UTC Wed Dec 26 2012
! NVRAM config last updated at 18:51:11 UTC Wed Dec 26 2012
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password 7 121A0C041104
!
no aaa new-model
!
!
!
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool VLAN_10
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1 
!
ip dhcp pool VLAN_20
   import all
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1 
!
ip dhcp pool VLAN_30
   import all
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.1 
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1435C02C
!
!
vtp version 2
!
!
! 
!
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 switchport access vlan 10
 !
!
interface FastEthernet2
 switchport access vlan 20
 !
!
interface FastEthernet3
 switchport access vlan 30
 !
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 !
!
interface FastEthernet4.1
 encapsulation dot1Q 1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet4.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet4.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet4.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet4.99
 encapsulation dot1Q 99 native
 ip address 192.168.99.1 255.255.255.0
!
interface Vlan1
 no ip address
 shutdown
 !
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 150 interface FastEthernet4.1 overload
!
access-list 150 permit ip any any
!
!
!
!
!
control-plane
 !
!
!
line con 0
 no modem enable
 speed 115200
line aux 0
 privilege level 15
line vty 0 4
 privilege level 15
 login
!
scheduler max-task-time 5000
ntp server 66.27.60.10
end

Best Regards,

Didier

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Didier Ribbens

‎12-27-2012 11:10 PM

Hi,

you should not use a static route pointing to a multipoint interface, it will only work if the other side has proxy arp enabled(

which is a security hole) and even in this case you'll have to arp for every destination you want to reach, so your arp cache will increase, your cpu will increase and link utilization will increase.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Abzal
Level 7
Level 7

‎12-27-2012 12:05 PM

Hi,

When you shutdown f4.99 your configuration will work, however you won't be able to manage your switch through CLI.

2940 it is L2 switch only. L3 it is your router. L2 Switch just looks CAM table for MAC address then forwards frames to the port. There is separate CAM table for each VLAN. If frame comes to switch with VLAN tag 10 it looks CAM table for VLAN 10 finds MAC then forwards frame to that port.

Other ports on router you can use just like Switch's access ports.

I'd recommend you to change your ACL 150 to be like this:

no access-list 150 permit ip any any

access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.20.0 0.0.0.255


access-list 10 permit 192.168.30.0 0.0.0.255

Does this configuration work? Are you able to access to the Internet?

If it doesn't try to add this route:

ip route 0.0.0.0 0.0.0.0 interface f4.1

Hope it will help.

Best regards,
Abzal

Go to solution
Didier Ribbens
Level 1
Level 1
In response to Abzal

‎12-27-2012 11:00 PM

Hi,

Thank You for your prompt reply. Your are completely right , yes the 2940 is LAYER 2 only and I just need to give it a IP address to manage it.

I will try the above ACL and keep you informed if I need or not the ip route quad zero.

Regarding security , will this be incresed if I leave F4.99 SHUT ?

Best Regards,

Didier

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Didier Ribbens

‎12-27-2012 11:10 PM

Hi,

you should not use a static route pointing to a multipoint interface, it will only work if the other side has proxy arp enabled(

which is a security hole) and even in this case you'll have to arp for every destination you want to reach, so your arp cache will increase, your cpu will increase and link utilization will increase.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Abzal
Level 7
Level 7
In response to Didier Ribbens

‎12-27-2012 11:13 PM

Hi,

About security you could configure SSH and access-class to protect management plane of switch.

Example you want to give access to particular IP address to be able manage switch and no one else:

ip access-list 23 permit host 192.168.10.10

access-class 23 in

http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389

Or SSH:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#interactmanage

Because anyone(if they know how to do it ) can sniff your telnet traffic between switch and your PC.

It's all best practices actually.

Hope it will help.

Best regards,
Abzal

Go to solution
Didier Ribbens
Level 1
Level 1
In response to Abzal

‎12-28-2012 02:30 PM

Hi Abzal and Alain,

I have just changed the ACL's and it works , the reason for using ip any any , was just to test.

Regarding the quad zero if I add this line , I do not have INTERNET any longer , this is maybe what Alain was referring to.

At this moment we are only in the SWITCH part in the CCNA class , the ROUTING part will be around end of February , I can see that I still have to go a long way   but I like it and I have to admit that I learned a lot by doing the real thing with real stuff.

Thank You and have a Happy New Year

0 Helpful

Go to solution
Didier Ribbens
Level 1
Level 1
In response to Didier Ribbens

‎01-05-2013 04:02 AM

Updated configuration with VPN IPSec :

ROUTER:

C881:

C881#sh run
Building configuration...
Current configuration : 3848 bytes
!
! Last configuration change at 11:53:38 UTC Sat Jan 5 2013 by admin
! NVRAM config last updated at 11:53:04 UTC Tue Jan 1 2013 by cisco
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C881
!
boot-start-marker
boot-end-marker
!
enable password 7 121A0C041104
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool VLAN_10
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1 
!
ip dhcp pool VLAN_20
   import all
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1 
!
ip dhcp pool VLAN_30
   import all
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.1 
!
!
ip cef    
ip domain name dri.be
no ipv6 cef
!         
!         
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1435C02C
!         
!         
vtp version 2
username admin privilege 15 secret 5 $1$bY3n$vE9ov9XmuPKzKnQIHVbFJ1
username cisco password 7 060506324F41
!         
!         
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh rsa keypair-name sshkeys
!         
!         
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2  
!         
crypto isakmp client configuration group 3000client
 key cisco123
 dns 192.168.10.1
 domain cisco.com
 pool ippool
 acl 150  
!         
!         
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
!         
crypto dynamic-map dynmap 10
 set transform-set myset 
!         
!         
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!         
!         
!         
!         
!         
interface FastEthernet0
 !        
!         
interface FastEthernet1
 switchport access vlan 10
 !        
!         
interface FastEthernet2
 switchport access vlan 20
 !        
!         
interface FastEthernet3
 switchport access vlan 30
 !        
!         
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 !        
!         
interface FastEthernet4.1
 encapsulation dot1Q 1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 crypto map clientmap
!         
interface FastEthernet4.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!         
interface FastEthernet4.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!         
interface FastEthernet4.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!         
interface FastEthernet4.99
 encapsulation dot1Q 99 native
 ip address 192.168.99.1 255.255.255.0
!         
interface Vlan1
 no ip address
 shutdown 
 !        
!         
ip local pool ippool 172.16.1.1 172.16.1.100
ip forward-protocol nd
ip http server
no ip http secure-server
!         
!         
ip nat inside source list 170 interface FastEthernet4.1 overload
!         
access-list 23 permit any
access-list 150 remark PERMIT VPN USER TO CONNECT TO NETWORK 192.168.10.0 
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 150 permit ip 192.168.20.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 150 permit ip 192.168.30.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 170 remark INTERNET ACCESS FOR NETWORK 192.168.10.0
access-list 170 remark DENY BEFORE PERMIT !!!
access-list 170 deny   ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 170 permit ip 192.168.10.0 0.0.0.255 any
!         
!         
!         
!         
tftp-server server
!         
control-plane
 !        
!         
!         
line con 0
 no modem enable
 speed 115200
line aux 0
 privilege level 15
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 045802150C2E
 transport input all
!         
scheduler max-task-time 5000
ntp update-calendar
ntp server europe.pool.ntp.org
end       
C881#

SWITCH 2940:

Switch#sh run
Building configuration...
Current configuration : 1574 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
!
username admin privilege 15 secret 5 $1$ia2K$RGqJU.ktvf5GS3nr1VyqK0
ip subnet-zero
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
no spanning-tree vlan 1,10,20,30,40,99
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 spanning-tree portfast
!
interface FastEthernet0/8
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport trunk native vlan 99
 switchport mode trunk
 spanning-tree portfast
!         
interface Vlan1
 no ip address
 no ip route-cache
 shutdown 
!         
interface Vlan99
 ip address 192.168.99.250 255.255.255.0
 no ip route-cache
!         
ip http server
!         
line con 0
 privilege level 15
 password 7 01100F175804
 speed 115200
line vty 0 4
 privilege level 15
 password 7 030752180500
 login local
 transport input telnet
line vty 5 15
 password 7 14141B180F0B
 login    
!         
ntp authenticate
ntp clock-period 17180100
ntp server 192.168.99.1
!         
end       
Switch#

Best Regards,

Didier

0 Helpful
Customers Also Viewed These Support Documents