04-28-2013 09:58 AM - edited 03-07-2019 01:04 PM
See topology attached.
Hey guys, I recently got an offer to help an friend setup their network. They have a locked Cisco Router which is from the ISP and its confed on a fa 0/0 interface to share Internet access on the network. The ip on that interface is 195.198.11.217 255.255.255.252 and i tried it with a PC (set my personal ip to .218 and entered their dns info (195.67.199.27) and it is working. The question is now. My friend found a 3550 laying around and since the ISP wont let them conf their router he wants to use the 3550 to create 2 vlans with internet access and without access to eachother.
Vlan 10 for the desktops and Vlan 20 for the wireless (Moving on to some netgear wireless switches) How would you configure the 3550 for this to work? I havent been into this stuff for years so im really uncertain on which would be the best approach.
Thanks to anyone who are willing to use their time to assist me!
See topology attached.
05-29-2013 01:03 PM
Hi Sebastian,
You are correct that only fa4 is a layer 3 interface (WAN) and the the others only layer 2. I should have made things clearer as I used an 1841 on Packet Tracer to simulate what you are trying to do and never changed the config to match for your setup..
1. On the 881 you can create 2 SVI's for vlan 10 & 20, these are not subinterfaces like on a router but Switched Virtual Interfaces( The same as you would configure on a layer 3 switch like the 3550 and are layer 3 virtual interfaces)
Commands for this on the 881 are as follows:
#conf t
#interface vlan 10
#ip address 192.168.10.1 255.255.255.0 (or whatever subnet range you are going to use)
#ip nat inside (tells the router that this is an inside interface)
#no shut
#exit
#interface vlan 20
#ip address 192.168.20.1 255.255.255.0 (or whaterver subnet range you are going to use)
#ip nat inside (tells the router that this is an inside interface)
#no shut
2. You will now need to create the layer 2 vlans on the 881 and enable this as the VTP server and give it a domain-name so that it will replicate the vlans to the 3550 which we will configure later as a vtp client.
#conf t
#vtp mode server
#vtp domain-name cisco
#end
#vlan database
#vlan 10 name PC's (or whatever you want to call the VLAN)
#Vlan 20 name WIRELESS (or whatever you want to call the VLAN)
#exit
3. Now we need to configure a Trunk from the 881 to the 3550. in this example I will use fa0 but you can choose any interface from fa0-3, whicherver you like.
#conf t
#interface fa0
#switchport mode trunk
#end
4. On the 3550 which ever port you connect from the 881 to the 3550 will need to be configured as a trunk and then we will configure the 3550 as a VTP client so it should receive the Vlans that we created on the 881.
#conf t
#vtp mode client
#vtp domain-name cisco
#exit
#interface fa0/24 (this will be the port you are connecting from the 881 to the 3550 switch and can be whicherver port you like)
#switchport trunk encapsulation dot1q
#switchport mode trunk
end
You can now assign the ports you require onto either VLAN 10 or VLAN 20 by using the following commands:
#conf t
#switchport mode access (turns port into an access port)
#switchport access vlan 10 ( assigns port to vlan 10)
5. We now need to concentrate back on the 881 and configure fa4 (WAN) interface ip address and also sort out the dhcp pools for the 2 LAN Subnets.
#conf t
#interface fa4
#ip address 195.198.11.218 255.255.255.252 (configures ip address for the interface)
#ip nat outside (tells router that this is an outside interface)
#exit
#ip dhcp pool PC_VLAN (creates a dhcp pool called PC_VLAN you can name it what you like)
#network 192.168.10.0 (defines the network for the pool)
#default-router 192.168.10.1 (designate 192.168.10.1 as the default gateway for PC's on the PC_VLAN)
#dns-server 195.67.199.27
#exit
#ip dhcp pool WIRELESS_VLAN
#network 192.168.20.0
#default-router 192.168.20.1
#dns-server 195.67.199.27
#exit
#ip dhcp exclude-address 192.168.10.1 ( this exludes this ip address from being handed out as we have already used this for the SVI int vlan 10)
#ip dhcp exclude-address 192.168.20.1
#end
6. Now lets sort out an access list to tell the router what address are allowed to be translated
# conf t
# access-list 1 permit 192.168.10.0 0.0.0.255
# access-list 1 permit 192.168.20.0 0.0.0.255
end
7. final step now is to tie the access list together with NAT. We have already specified which are our inside and outside interfaces so now it's just a case of one final command to to it all together.
#conf t
#ip nat inside source list 1 interface fa4 overload (this tells the router to translate all the interfaces that have the ip nat Inside command ip address to that of the fa4 interface ip address)
#end
That's it, you should now be good to go.
I'm new to all this forum stuff but hopefully this has cleared things up a little for you ( i'm not that good with words an explaining stff sometimes )
If I have missed anything just let us know.
Good luck
Shaun
05-29-2013 02:15 PM
Thats really nice of you to spend all this time to help out!
I think i got the hang of how its meant to be setup now. Alltho i am not at the location atm i have the router and switch in my apartment. Seeing as my personal Internet access in the apartment already is nated by the ISPs router i doubt i can test out the nat functions at home? Or can i ?
I tried plugging the FE4 Wan port to my ISP ADSL router. The router keeps glowing orange with that tho, No matter if i try Ip address dhcp or set a manual ip from the ISPs adls routers private network.
Any ideas on how to test this at home? Or do i have to carry all the stuff to the location to test? (I got limited time at the location so i cant go there when i want)
Other than not beeing able to test the nat the other stuff seem to function well. I plugged in a PC on FA 01 (Switchport access vlan 10) and FA 02(Swicthport access vlan 20) on the switch and they both got IP from different vlans as expected!
05-29-2013 02:33 PM
I think the problem you have at your apartment set up is that you are pobably connecting the the WAN fa4 port on the 881 to just a layer 2 switchport on your ADSL router which won't work?
If the ip adresses you gave for your ISP are correct you should have no problem at the location with the NAT .
05-29-2013 02:53 PM
I will make sure to try it asap and return with results! Thanks for the help so far! <3!
06-02-2013 05:58 AM
Ok, i have just been at the location and plugged everything in. And well everything but the NAT seems to work fine. The IP addresses is given out right between the different vlans etc. But cant get out on the internet for some reason.
Before i post the conf i have. Let me add that i tried with "Ip nat inside/outside instead of ip nat enable" on all interfaces with no change. Also that the ACLs (except the #1 for the nat) is not in use. i just have them there for future use when the network is actually working.
I also tried with a PC directly plugged in the ISPs router. and set manual IP and it is working fine to the internet. So i know the ISP router is working for sure. But i dont get more info from it than the IP. Ill attach a pic of the real topology too.
Also tried with no ip route source on and off.
Here is the conf. Router first then switch below.
ROUTER
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4287897570
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4287897570
revocation-check none
rsakeypair TP-self-signed-4287897570
!
!
crypto pki certificate chain TP-self-signed-4287897570
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323837 38393735 3730301E 170D3133 30353235 30383235
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383738
39373537 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BA0B 207010D1 26F3C26F 7B203E8E A800F587 4A517750 34D7FC43 34A91F9E
F16F2836 D4518239 616C0043 7193735D 27EB0298 E8D76390 E7E20CCC BE43E95A
31EC1207 671A416E 5813B363 478918FE C4FA04AA C7985513 54B6F376 9381E81B
E0FB9D4B 2C05572B 659C46B2 FB327FE8 D989F904 BB71A99A 083B77CB 45E5C31E
E4850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1415B8C8 C5A9AF6C 64E9E056 C5B71021 09268D4A D3301D06
03551D0E 04160414 15B8C8C5 A9AF6C64 E9E056C5 B7102109 268D4AD3 300D0609
2A864886 F70D0101 05050003 81810033 D79551FE 0773CB50 CE0EE92C 29B4106E
D4F89943 C981D35A 53D471DD 5BC84406 911D9151 B2784803 18FBA741 056C160B
0B98F4B3 D3376926 0B1C6FFB 29E6B166 3CE92171 EC0A6A56 0347A709 FD8B2660
6B58B622 4BC35790 AD430904 5FBFCC0B D417F26E 14C0F115 ACD0C64A 8E36A0F2
DA4A1030 6671A5A4 B4839ADC 31C2C3
quit
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp excluded-address 192.168.100.1 192.168.100.10
!
ip dhcp pool kassasystem
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 195.67.199.27
!
ip dhcp pool wireless
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 195.67.199.27
!
ip dhcp pool kassasystem2
network 192.168.3.0 255.255.255.0
dns-server 195.67.199.27
default-router 192.168.3.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server 195.67.199.27
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1715C05X
!
!
!
spanning-tree vlan 1 priority 24576
spanning-tree vlan 2 priority 24576
spanning-tree vlan 3 priority 24576
spanning-tree vlan 10 priority 24576
spanning-tree vlan 20 priority 24576
username tobbe privilege 15 secret 4 YIiJkyf7ObBR5DjNyIpPjM.X/O4KqoshZHfyRIrPp6w
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description Link till telias router
ip address 195.198.11.218 255.255.255.252
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 115 deny icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 deny icmp 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 115 permit icmp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip any any
access-list 115 permit icmp any any
access-list 116 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 116 deny icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny icmp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 116 permit ip any any
access-list 116 permit icmp any any
access-list 117 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 117 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 117 deny icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 117 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 117 permit ip any any
access-list 117 permit icmp any any
no cdp run
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
password XXXX
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
end
interface vlan 10
no ip access-group 115 in
no ip access-group 115 out
exit
interface vlan 2
no ip access-group 116 in
no ip access-group 116 out
exit
interface vlan 3
no ip access-group 117 in
no ip access-group 117 out
exit
interface vlan 1
no ip nat enable
exit
SWITCH
Building configuration...
Current configuration : 4361 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch
!
enable secret 5 $1$t2Pw$IDMXno5rgU.QU4ApgXnHu1
!
username tobbe privilege 15 secret 5 $1$SHA3$bQi8SztWrqzPd60pr7iTR0
no aaa new-model
ip subnet-zero
!
!
!
crypto pki trustpoint TP-self-signed-3167797376
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3167797376
revocation-check none
rsakeypair TP-self-signed-3167797376
!
!
crypto pki certificate chain TP-self-signed-3167797376
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313637 37393733 3736301E 170D3933 30333031 30303031
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31363737
39373337 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C365 2340802C DAD0FD2C E6C3A964 B8C17931 15D18B1A A4A027E0 D035F621
81017123 9256D49B A33EE9C9 EA9F30CE 29351E05 AAB92F9E 99043391 8AF85A6D
638732B3 A85D3928 36A4BE39 0CAA4740 51167E0F 70222BA6 FBF4C791 F22E3E09
A70C61AC 53686A85 785147CA AC1156AE F85EFF3B 6A51F441 69771A6C 6C98E0A6
E1510203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10737769 74636862 61726869 6D6D656C 2E301F06 03551D23
04183016 801466D0 195BE658 432F318E 1A20A381 EF5F42C0 BC5A301D 0603551D
0E041604 1466D019 5BE65843 2F318E1A 20A381EF 5F42C0BC 5A300D06 092A8648
86F70D01 01040500 03818100 2B19B085 8137CF13 90D0667D 70B078E0 AFD08C43
34F95665 2FE0E3A1 D455B821 207C4BA0 50CC9D51 D4799F6B E2EDDE4D 14BF7348
F0EA3FB5 AA2B4BB8 772D2FF5 613623B1 918F05BD E996E7E9 20F8CDCF 08548492
13C5B4B2 CDB1EAA5 C4DE7B85 971B4DAE BD4E8FEE 27F516A0 90F2276F 7251E52D
D05BF3DE 3EE91D4D 442814DD
quit
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3,10
switchport mode trunk
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
ip address 192.168.100.2 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
password cisco
login local
line vty 0 4
password cisco
login local
line vty 5 15
password cisco
login local
!
end
06-02-2013 01:50 PM
Hi Sebastian,
I have setup what you are trying to do in packet tracer and have the lab working fine. Can you confirm you are using a crossover cable for the connection between the 2 Cisco routers and not a straight through cable? (this could be the culprit) You also need to then add the ip nat inside & outside statement to the relevant interfaces as in the earlier config I posted.
Looks like your nearly there
06-03-2013 01:00 AM
I tried with many different cables but im not 100% one of them was a crossover. The one included by the ISP should be tho.... But im bringing one im 100% sure of to try today.
Feels so wierd...
06-04-2013 11:22 AM
Solved it!
It was the ip route to FA 4 which was wrong. It was supposed to say ip route 0 0 00 00 0 0 to the isp routers interface. Worked like a charm after that.
06-04-2013 12:12 PM
Great stuff, it should work with the ip route 0.0.0.0 0.0.0.0 fa4 as its saying to send all packets with an unknown destination out of that interface towards your ISP Router?
Main thing is you have it all working now
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide