Re: Sharing internet access through a 3550 with 2 vlans. Help >< - Page 2

tobbelobbe · ‎04-28-2013

See topology attached.

Hey guys, I recently got an offer to help an friend setup their network. They have a locked Cisco Router which is from the ISP and its confed on a fa 0/0 interface to share Internet access on the network. The ip on that interface is 195.198.11.217 255.255.255.252 and i tried it with a PC (set my personal ip to .218 and entered their dns info (195.67.199.27) and it is working. The question is now. My friend found a 3550 laying around and since the ISP wont let them conf their router he wants to use the 3550 to create 2 vlans with internet access and without access to eachother.

Vlan 10 for the desktops and Vlan 20 for the wireless (Moving on to some netgear wireless switches) How would you configure the 3550 for this to work? I havent been into this stuff for years so im really uncertain on which would be the best approach.

Thanks to anyone who are willing to use their time to assist me!

See topology attached.

shaun barrs · ‎05-29-2013

Hi Sebastian,

You are correct that only fa4 is a layer 3 interface (WAN) and the the others only layer 2. I should have made things clearer as I used an 1841 on Packet Tracer to simulate what you are trying to do and never changed the config to match for your setup..

1. On the 881 you can create 2 SVI's for vlan 10 & 20, these are not subinterfaces like on a router but Switched Virtual Interfaces( The same as you would configure on a layer 3 switch like the 3550 and are layer 3 virtual interfaces)

Commands for this on the 881 are as follows:
#conf t
#interface vlan 10
#ip address 192.168.10.1 255.255.255.0 (or whatever subnet range you are going to use)
#ip nat inside (tells the router that this is an inside interface)
#no shut
#exit
#interface vlan 20
#ip address 192.168.20.1 255.255.255.0 (or whaterver subnet range you are going to use)
#ip nat inside (tells the router that this is an inside interface)
#no shut

2. You will now need to create the layer 2 vlans on the 881 and enable this as the VTP server and give it a domain-name so that it will replicate the vlans to the 3550 which we will configure later as a vtp client.
#conf t
#vtp mode server
#vtp domain-name cisco
#end
#vlan database
#vlan 10 name PC's (or whatever you want to call the VLAN)
#Vlan 20 name WIRELESS (or whatever you want to call the VLAN)
#exit

3. Now we need to configure a Trunk from the 881 to the 3550. in this example I will use fa0 but you can choose any interface from fa0-3, whicherver you like.
#conf t
#interface fa0
#switchport mode trunk
#end

4. On the 3550 which ever port you connect from the 881 to the 3550 will need to be configured as a trunk and then we will configure the 3550 as a VTP client so it should receive the Vlans that we created on the 881.
#conf t
#vtp mode client
#vtp domain-name cisco
#exit
#interface fa0/24 (this will be the port you are connecting from the 881 to the 3550 switch and can be whicherver port you like)
#switchport trunk encapsulation dot1q
#switchport mode trunk
end
You can now assign the ports you require onto either VLAN 10 or VLAN 20 by using the following commands:
#conf t
#switchport mode access (turns port into an access port)
#switchport access vlan 10 ( assigns port to vlan 10)

5. We now need to concentrate back on the 881 and configure fa4 (WAN) interface ip address and also sort out the dhcp pools for the 2 LAN Subnets.
#conf t
#interface fa4
#ip address 195.198.11.218 255.255.255.252 (configures ip address for the interface)
#ip nat outside (tells router that this is an outside interface)
#exit
#ip dhcp pool PC_VLAN (creates a dhcp pool called PC_VLAN you can name it what you like)
#network 192.168.10.0 (defines the network for the pool)
#default-router 192.168.10.1 (designate 192.168.10.1 as the default gateway for PC's on the PC_VLAN)
#dns-server 195.67.199.27
#exit
#ip dhcp pool WIRELESS_VLAN
#network 192.168.20.0
#default-router 192.168.20.1
#dns-server 195.67.199.27
#exit
#ip dhcp exclude-address 192.168.10.1 ( this exludes this ip address from being handed out as we have already used this for the SVI int vlan 10)
#ip dhcp exclude-address 192.168.20.1
#end

6. Now lets sort out an access list to tell the router what address are allowed to be translated
# conf t
# access-list 1 permit 192.168.10.0 0.0.0.255
# access-list 1 permit 192.168.20.0 0.0.0.255
end

7. final step now is to tie the access list together with NAT. We have already specified which are our inside and outside interfaces so now it's just a case of one final command to to it all together.
#conf t
#ip nat inside source list 1 interface fa4 overload (this tells the router to translate all the interfaces that have the ip nat Inside command ip address to that of the fa4 interface ip address)
#end

That's it, you should now be good to go.

I'm new to all this forum stuff but hopefully this has cleared things up a little for you ( i'm not that good with words an explaining stff sometimes )

If I have missed anything just let us know.
Good luck

Shaun

tobbelobbe · ‎05-29-2013

Thats really nice of you to spend all this time to help out!

I think i got the hang of how its meant to be setup now. Alltho i am not at the location atm i have the router and switch in my apartment. Seeing as my personal Internet access in the apartment already is nated by the ISPs router i doubt i can test out the nat functions at home? Or can i ?

I tried plugging the FE4 Wan port to my ISP ADSL router. The router keeps glowing orange with that tho, No matter if i try Ip address dhcp or set a manual ip from the ISPs adls routers private network.
Any ideas on how to test this at home? Or do i have to carry all the stuff to the location to test? (I got limited time at the location so i cant go there when i want)
Other than not beeing able to test the nat the other stuff seem to function well. I plugged in a PC on FA 01 (Switchport access vlan 10) and FA 02(Swicthport access vlan 20) on the switch and they both got IP from different vlans as expected!

shaun barrs · ‎05-29-2013

I think the problem you have at your apartment set up is that you are pobably connecting the the WAN fa4 port on the 881 to just a layer 2 switchport on your ADSL router which won't work?

If the ip adresses you gave for your ISP are correct you should have no problem at the location with the NAT .

tobbelobbe · ‎05-29-2013

I will make sure to try it asap and return with results! Thanks for the help so far! <3!

tobbelobbe · ‎06-02-2013

Ok, i have just been at the location and plugged everything in. And well everything but the NAT seems to work fine. The IP addresses is given out right between the different vlans etc. But cant get out on the internet for some reason.

Before i post the conf i have. Let me add that i tried with "Ip nat inside/outside instead of ip nat enable" on all interfaces with no change. Also that the ACLs (except the #1 for the nat) is not in use. i just have them there for future use when the network is actually working.

I also tried with a PC directly plugged in the ISPs router. and set manual IP and it is working fine to the internet. So i know the ISP router is working for sure. But i dont get more info from it than the IP. Ill attach a pic of the real topology too.

Also tried with no ip route source on and off.

Here is the conf. Router first then switch below.

ROUTER

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-4287897570

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4287897570

revocation-check none

rsakeypair TP-self-signed-4287897570

!

crypto pki certificate chain TP-self-signed-4287897570

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34323837 38393735 3730301E 170D3133 30353235 30383235

30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383738

39373537 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100BA0B 207010D1 26F3C26F 7B203E8E A800F587 4A517750 34D7FC43 34A91F9E

F16F2836 D4518239 616C0043 7193735D 27EB0298 E8D76390 E7E20CCC BE43E95A

31EC1207 671A416E 5813B363 478918FE C4FA04AA C7985513 54B6F376 9381E81B

E0FB9D4B 2C05572B 659C46B2 FB327FE8 D989F904 BB71A99A 083B77CB 45E5C31E

E4850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 1415B8C8 C5A9AF6C 64E9E056 C5B71021 09268D4A D3301D06

03551D0E 04160414 15B8C8C5 A9AF6C64 E9E056C5 B7102109 268D4AD3 300D0609

2A864886 F70D0101 05050003 81810033 D79551FE 0773CB50 CE0EE92C 29B4106E

D4F89943 C981D35A 53D471DD 5BC84406 911D9151 B2784803 18FBA741 056C160B

0B98F4B3 D3376926 0B1C6FFB 29E6B166 3CE92171 EC0A6A56 0347A709 FD8B2660

6B58B622 4BC35790 AD430904 5FBFCC0B D417F26E 14C0F115 ACD0C64A 8E36A0F2

DA4A1030 6671A5A4 B4839ADC 31C2C3

quit

no ip source-route

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.20.1 192.168.20.10

ip dhcp excluded-address 192.168.10.1 192.168.10.10

ip dhcp excluded-address 192.168.2.1 192.168.2.10

ip dhcp excluded-address 192.168.3.1 192.168.3.10

ip dhcp excluded-address 192.168.100.1 192.168.100.10

!

ip dhcp pool kassasystem

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 195.67.199.27

!

ip dhcp pool wireless

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 195.67.199.27

!

ip dhcp pool kassasystem2

network 192.168.3.0 255.255.255.0

dns-server 195.67.199.27

default-router 192.168.3.1

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

ip name-server 195.67.199.27

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FCZ1715C05X

!

spanning-tree vlan 1 priority 24576

spanning-tree vlan 2 priority 24576

spanning-tree vlan 3 priority 24576

spanning-tree vlan 10 priority 24576

spanning-tree vlan 20 priority 24576

username tobbe privilege 15 secret 4 YIiJkyf7ObBR5DjNyIpPjM.X/O4KqoshZHfyRIrPp6w

!

interface FastEthernet0

switchport mode trunk

no ip address

!

interface FastEthernet1

no ip address

shutdown

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description Link till telias router

ip address 195.198.11.218 255.255.255.252

ip nat enable

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.100.1 255.255.255.0

ip nat enable

ip virtual-reassembly in

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip nat enable

ip virtual-reassembly in

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip nat enable

ip virtual-reassembly in

!

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip nat enable

ip virtual-reassembly in

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 115 deny icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 115 deny icmp 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 115 permit icmp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 115 deny icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 115 permit ip any any

access-list 115 permit icmp any any

access-list 116 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 116 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 116 deny icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 116 deny icmp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 116 permit ip any any

access-list 116 permit icmp any any

access-list 117 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 117 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 117 deny icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 117 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 117 permit ip any any

access-list 117 permit icmp any any

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE

PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL

NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

password XXXX

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

end

interface vlan 10

no ip access-group 115 in

no ip access-group 115 out

exit

interface vlan 2

no ip access-group 116 in

no ip access-group 116 out

exit

interface vlan 3

no ip access-group 117 in

no ip access-group 117 out

exit

interface vlan 1

no ip nat enable

exit

SWITCH

Building configuration...

Current configuration : 4361 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname switch

!

enable secret 5 $1$t2Pw$IDMXno5rgU.QU4ApgXnHu1

!

username tobbe privilege 15 secret 5 $1$SHA3$bQi8SztWrqzPd60pr7iTR0

no aaa new-model

ip subnet-zero

!

crypto pki trustpoint TP-self-signed-3167797376

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3167797376

revocation-check none

rsakeypair TP-self-signed-3167797376

!

crypto pki certificate chain TP-self-signed-3167797376

certificate self-signed 01

30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33313637 37393733 3736301E 170D3933 30333031 30303031

30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31363737

39373337 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C365 2340802C DAD0FD2C E6C3A964 B8C17931 15D18B1A A4A027E0 D035F621

81017123 9256D49B A33EE9C9 EA9F30CE 29351E05 AAB92F9E 99043391 8AF85A6D

638732B3 A85D3928 36A4BE39 0CAA4740 51167E0F 70222BA6 FBF4C791 F22E3E09

A70C61AC 53686A85 785147CA AC1156AE F85EFF3B 6A51F441 69771A6C 6C98E0A6

E1510203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603

551D1104 14301282 10737769 74636862 61726869 6D6D656C 2E301F06 03551D23

04183016 801466D0 195BE658 432F318E 1A20A381 EF5F42C0 BC5A301D 0603551D

0E041604 1466D019 5BE65843 2F318E1A 20A381EF 5F42C0BC 5A300D06 092A8648

86F70D01 01040500 03818100 2B19B085 8137CF13 90D0667D 70B078E0 AFD08C43

34F95665 2FE0E3A1 D455B821 207C4BA0 50CC9D51 D4799F6B E2EDDE4D 14BF7348

F0EA3FB5 AA2B4BB8 772D2FF5 613623B1 918F05BD E996E7E9 20F8CDCF 08548492

13C5B4B2 CDB1EAA5 C4DE7B85 971B4DAE BD4E8FEE 27F516A0 90F2276F 7251E52D

D05BF3DE 3EE91D4D 442814DD

quit

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/3

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/4

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/5

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/6

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/7

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/8

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/9

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/10

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/11

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/12

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/13

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/14

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/15

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/16

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/17

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/18

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/19

switchport mode dynamic desirable

!

interface FastEthernet0/20

switchport mode dynamic desirable

!

interface FastEthernet0/21

switchport mode dynamic desirable

!

interface FastEthernet0/22

switchport mode dynamic desirable

!

interface FastEthernet0/23

switchport mode dynamic desirable

!

interface FastEthernet0/24

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-3,10

switchport mode trunk

!

interface GigabitEthernet0/1

switchport mode dynamic desirable

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

ip address 192.168.100.2 255.255.255.0

!

ip classless

ip http server

ip http secure-server

!

control-plane

!

line con 0

password cisco

login local

line vty 0 4

password cisco

login local

line vty 5 15

password cisco

login local

!

end

shaun barrs · ‎06-02-2013

Hi Sebastian,

I have setup what you are trying to do in packet tracer and have the lab working fine. Can you confirm you are using a crossover cable for the connection between the 2 Cisco routers and not a straight through cable? (this could be the culprit) You also need to then add the ip nat inside & outside statement to the relevant interfaces as in the earlier config I posted.

Looks like your nearly there

tobbelobbe · ‎06-03-2013

I tried with many different cables but im not 100% one of them was a crossover. The one included by the ISP should be tho.... But im bringing one im 100% sure of to try today.

Feels so wierd...

tobbelobbe · ‎06-04-2013

Solved it!
It was the ip route to FA 4 which was wrong. It was supposed to say ip route 0 0 00 00 0 0 to the isp routers interface. Worked like a charm after that.

shaun barrs · ‎06-04-2013

Great stuff, it should work with the ip route 0.0.0.0 0.0.0.0 fa4 as its saying to send all packets with an unknown destination out of that interface towards your ISP Router?

Main thing is you have it all working now

Sharing internet access through a 3550 with 2 vlans. Help ><;