cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
834
Views
10
Helpful
10
Replies
kanaitpro
Beginner

vlans and internet access sharing

i am trying to set up a cisco 2950 with a vlan to seperate all of the pos machines on the network (4 of them) from all other machnes in the building (3 hard wired and wi-fi).  i was going to use vlan 1 as a trunk to allow internet access to go from fa0/1 to both vlans (vlan 10 and vlan 20). 

i have read things about the acl having an explicit deny at the end, so i'm thinking that is my  problem.  i am testing it at my house before deploying it to the network. 

i have 1 laptop setup with an ip of 192.168.0.50, and the other is .60.  my router is 192.168.0.1.  i have the ethernet from the router plugged into fa0/1, the 1st laptop on fa0/2 and the other at fa0/3. 

before i set the vlans up, i checked the communication by just plugging them in and trying to ping, they could both ping each other, the router and 8.8.8.8.  when i finished setting up the test vlans, they could not ping each other(what i wanted) and laptop 1 can ping the router, and 8.8.8.8.  laptop 2 cannot ping anything. 

the only thing i did was create vlan 10 and 20, set port fa0/2 to vlan 10 and no sh, fa03 to vlan 20 and no sh, fa0/1 to vlan 1 and no sh.  then i did switchport mode trunk on fa0/1, and switchport native vlan 1. 

this seems to be how i was supposed to do it, but it's been a while since i have worked with switches.  i'm sure it's simple, but after searching the internet and poring over my cisco books for 5 hours, it is turning out not to be the case. 

here are some details:

greenhouse#sh int fa0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Protected: false

Voice VLAN: none (Inactive)

Appliance trust: none

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/4, Fa0/5, Fa0/6, Fa0/7

                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11

                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15

                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19

                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23

                                                Fa0/24

10   VLAN0010                         active    Fa0/2

20   VLAN0020                         active    Fa0/3

1002 fddi-default                     active

1003 token-ring-default               active

1004 fddinet-default                  active

1005 trnet-default                    active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        0      0

10   enet  100010     1500  -      -      -        -    -        0      0

20   enet  100020     1500  -      -      -        -    -        0      0

1002 fddi  101002     1500  -      -      -        -    -        0      0

1003 tr    101003     1500  -      -      -        -    -        0      0

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1004 fdnet 101004     1500  -      -      -        ieee -        0      0

1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

00:32:47: %SYS-5-CONFIG_I: Configured from console by consoleip int br

Interface                  IP-Address      OK? Method Status                Prot

ocol

Vlan1                      unassigned      YES manual up                    up

FastEthernet0/1            unassigned      YES unset  up                    up

FastEthernet0/2            unassigned      YES unset  up                    up

FastEthernet0/3            unassigned      YES unset  up                    up

the rest are down because nothing is plugged in.  does anyone have any ideas?

10 REPLIES 10
Bilal Nawaz
Engager

Hello,

The initial pings worked because they were on the same vlan. Its not working now because they are not in the same vlan with no gateway to contact for the way out. By the sounds of it, you need to do something called 'router on a stick' A very good example is attached...

In short, you will need to create sub interfaces on the Router that will be the gateway for your PC's in their vlans.

Also, this may be able to assist:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

I think the concept on vlan's and trunks need to be understood too. A trunk will carry vlan's. The vlan is not capable of carrying trunks, unless you are doing QinQ.

On the switch fa0/1 should be like this:

interface fa0/1

switchport

switchport encapsulation dot1q

switchport mode trunk

On the router that connects to fa0/1 on the switch should have something similar to this, to get it working:

Just an example...

interface fa0/0

no ip address

!

interface fa0/0.10

encapsulation dot1q 10

ip address 10.0.0.1 255.255.255.0 (this will be your gateway for vlan 10)

!

interface fa0/0.20

encapsulation dot1q 20

ip address 20.0.0.1 255.255.255.0 (this will be your gateway for vlan 20)

Also, NAT will come in to play when you set up the internet connection

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

thank you so much for the router on a stick pdf.  i cannot perform this, however.  i neglected to mention in my first post that i need to do all the configuration on the switch since i am using a linsys rv042 and cannot configure vlans on the interface.  the only thing i can do which is close is to assign different ip addresses to each of the different vlans, by adding an ethernet connection to a port on the switch.  and as for not being able to ping one vlan from another, that is the whole reason for adding the 2950, to isolate the pos machines from the rest of the network.  the only requirement i have is for each vlan to have internet access.  i thought that by trunking the incoming port, that would take care of that part.  i have since put up the equipment and started working with packet tracer, the only reason i didn't do that to start with is so that i could configure the switch easily.

would this work:  connecting one outgoing port from the router on 192.168.5.1 to vlan 10 and the other outgoing port 10.10.10.1 to vlan 20?  that is what i am going to try with packet tracer, but i'll probably have to hook up the actual switch to try it.  the only thing is the router i use at the house is locked down from suddenlink(isp) and probably won't respond the same.

A 2950 switch is incapable of routing between subnets. It can establish Vlans, but assuming you assign different subnet addresses to those Vlans, it can't, by itself, route between them. You have to have a router somewhere that can do that. It could be a router on a stick configuration, in which case the trunk port would be appropriate. Or, it could be a router with more than one routing interface.

Sent from Cisco Technical Support iPad App

The linksys RV042 doesn't support 'tagging' with an 802.1q header which the switch does when you trunk (apart from native vlans) So this won't work.

Okay... so on the linksys RV042 you can set up one of the interfaces to have the IP of 192.168.5.1 and have another interface with the ip of 10.10.10.1?

You would plug these in to the switch in separate vlans but as access ports. So you could do this.

For the interface on the RV042 that has the IP of 192.168.5.1 you could do this on the switch:

interface fa0/1

description LINK_TO_RV042_VLAN10

switchport

switchport access vlan 10

no shut

and for the other interface on the RV042 - IP of 10.10.10.1 you could do this:

interface fa0/2

description LINK_TO_RV042_VLAN20

switchport

switchport access vlan 20

no shut

So now that they are isolated vlans, test to see if you can pick up an IP address from a PC. So if you had a PC you would also configure it as an access port e.g.

interface fa0/3

description ACCESS_PORT_VLAN10

switchport

switchport access vlan 10

no shut

Then see if you can ping the default gateway (RV042)

Since the RV042 is a router, we then need to find out if there is a way of blocking 'inter - interface/vlan routing' if that makes sense

Im not sure if this is achievable in packet tracer since the Linksys WRT isn't that inteligent.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

on the packet tracer, i am using an 1841.  i have everything as you stated, except i'm using static ip's for the 4 computers and the printer.  i have commo between all of the computers and printers, but not to the gateway.  i have this:  router - fa0/0 to vlan 2 fa0/1 on the switch, fa0/1 to vlan 1 fa0/7 on the switch.   switch:  fa0/2 pc1, fa0/3 pc2, fa0/4 pc3, fa0/5 to a dlink des 1105 switch, fa0/8 to wireless access point, fa0/7 to vlan 1.  this should put each vlan with a seperate connection from the router, from the router to vlan 1 i have 192.168.5.1 as the gateway, and to vlan 2 i have 10.10.10.1 as the gateway.  from the dlink switch, one port goes to pc4 and one port goes to a printer.  everything has static ip's, they go from 10.10.10.3/24 to 10.10.10.7/24 on vlan 2. 

th thing i won't know until i get back is if i can assign ip's from two different ranges (10.x.x.x and 192.x.x.x) on two different ports using dhcp.  i can assign static ip's in the router, so the 10.x.x.x on vlan 2 shouldn't be a problem, and all of the other ip's are going to be dhcp for customers and employees using iphones, etc.  i have the manual for the rv042 and will study this, but the crazy thing with the network is i cannot find a wireless access point in the building.  i have looked at all drops, and the only thing plugged into them are computers, a printer, and the dlink switch (des 1105), that according to documentation is not wi-fi capable. 

but more importantly, right now as is, i cannot ping the gateway from any computer.  they all ping each other, but they can't get the router.

this is the configuration:

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/6, Fa0/7, Fa0/8, Fa0/9

                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13

                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17

                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21

                                                Fa0/22, Fa0/23, Fa0/24

2    VLAN0002                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/5

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        0      0

2    enet  100002     1500  -      -      -        -    -        0      0

1002 fddi  101002     1500  -      -      -        -    -        0      0  

1003 tr    101003     1500  -      -      -        -    -        0      0  

1004 fdnet 101004     1500  -      -      -        ieee -        0      0  

1005 trnet 101005     1500  -      -      -        ibm  -        0      0  

Remote SPAN VLANs

------------------------------------------------------------------------------

interface FastEthernet0/1

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/3

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/4

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/5

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/6

switchport mode access

!

interface FastEthernet0/7

switchport mode access

!

interface FastEthernet0/8

switchport mode access

Hello Tim, with the 1841 we could do a lot more - however I've tried to keep it close as possible to what is at hand, configured this in PT so you can see what can be achievable with your scenario. Obviously seems quite limited with what you can do with your linksys.

This is the running config of the 1841:

ip dhcp excluded-address 10.10.10.1 10.10.10.100

ip dhcp excluded-address 192.168.5.1 192.168.5.100

!

ip dhcp pool VLAN20

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 8.8.8.8

ip dhcp pool VLAN10

network 192.168.5.0 255.255.255.0

default-router 192.168.5.1

dns-server 8.8.8.8

!

interface Loopback0

ip address 8.8.8.8 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.5.1 255.255.255.0

ip access-group FOR_VLAN10 out

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

ip access-group FOR_VLAN20 out

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

ip access-list standard FOR_VLAN10

deny 10.10.10.0 0.0.0.255

permit any

ip access-list standard FOR_VLAN20

deny 192.168.5.0 0.0.0.255

permit any

!

The switch just has vlan 10 and 20 with access ports - no trunks configured. Also for the sake of completeness, I included a wireless AP and connected a laptop and few other gadgets to it. So feel free to have a look around in the attached.

The access lists are to prevent from both vlans communicating with each other.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

i couldn't open the packet tracer, said it was the wrong version.  but i did get a chance to make the changes you posted and i could ping between the vlans.  i even went into the acl and took out the explicit allow and only allowed 192.168.5.0 0.0.0.0 but it didn't help.  i have included a pic of the layout that i am using.  i am going to work on this some more tomorrow, it really don't make sense how it is going on right now.  it looked good and it should have isolated the vlans.  i have the 192.x.x.x going to fa0/7 on vlan 10 and 10.x.x.x going to fa0/1 on vlan 20

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/9, Fa0/10, Fa0/11, Fa0/12

                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16

                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20

                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24

10   VLAN0010                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/5

20   VLAN0020                         active    Fa0/6, Fa0/7, Fa0/8

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

router:

!

ip dhcp pool vlan20

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 8.8.8.8

ip dhcp pool vlan10

network 192.168.5.0 255.255.255.0

default-router 192.168.5.1

dns-server 8.8.8.8

!

!

interface Loopback0

ip address 8.8.8.8 255.255.255.255

!

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.0

ip access-group for_vlan10 out

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.5.1 255.255.255.0

ip access-group for_vlan20 out

duplex auto

speed auto

!

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

ip access-list standard for_vlan10

deny 192.168.5.0 0.0.0.255

permit 10.10.10.0 0.0.0.255

ip access-list standard for_vlan20

deny 10.10.10.0 0.0.0.255

permit 192.168.5.0 0.0.0.255

!

Hi Tim, which version are you using please?

You have the ACLs the wrong way round. On the interface with 192.168.5.1 you need to block anything going to 10.10.10.0. And permit anything else, and same for the other interface. Also, you might have your links to the router in the wrong vlans too.

So on the interface I am saying deny going to the other network, but permit anything else.
Once I get the version you are using, then hopefully I can illustrate it more to you.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
paul driver
VIP Mentor

Hello Tim

You can try and cider off the 24bit subnet into smaller 25 bit ones on the linksys then you will have at least 4 vlans

Res
Paul

Sent from Cisco Technical Support iPad App



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

bill:  thank you for the advice and configuration.  this is very close to what i have.  i will try it out in a bit, the day has been too beautiful to waste inside on a computer, even for $$, outside playing with my son.  i forgot about using acl to further isolate the vlan, maybe this is why i didn't have commo with the gateway. 

pdriver:  thank you as well for this advice, i may have to use smaller subnets when i get there instead of two different ranges.

when i get a chance to confirm everything tonight, i will mark the thread as solved.