thank you so much for the router on a stick pdf.  i cannot perform this, however.  i neglected to mention in my first post that i need to do all the configuration on the switch since i am using a linsys rv042 and cannot configure vlans on the interface.  the only thing i can do which is close is to assign different ip addresses to each of the different vlans, by adding an ethernet connection to a port on the switch.  and as for not being able to ping one vlan from another, that is the whole reason for adding the 2950, to isolate the pos machines from the rest of the network.  the only requirement i have is for each vlan to have internet access.  i thought that by trunking the incoming port, that would take care of that part.  i have since put up the equipment and started working with packet tracer, the only reason i didn't do that to start with is so that i could configure the switch easily.

would this work:  connecting one outgoing port from the router on 192.168.5.1 to vlan 10 and the other outgoing port 10.10.10.1 to vlan 20?  that is what i am going to try with packet tracer, but i'll probably have to hook up the actual switch to try it.  the only thing is the router i use at the house is locked down from suddenlink(isp) and probably won't respond the same.

A 2950 switch is incapable of routing between subnets. It can establish Vlans, but assuming you assign different subnet addresses to those Vlans, it can't, by itself, route between them. You have to have a router somewhere that can do that. It could be a router on a stick configuration, in which case the trunk port would be appropriate. Or, it could be a router with more than one routing interface.

Sent from Cisco Technical Support iPad App

The linksys RV042 doesn't support 'tagging' with an 802.1q header which the switch does when you trunk (apart from native vlans) So this won't work.

Okay... so on the linksys RV042 you can set up one of the interfaces to have the IP of 192.168.5.1 and have another interface with the ip of 10.10.10.1?

You would plug these in to the switch in separate vlans but as access ports. So you could do this.

For the interface on the RV042 that has the IP of 192.168.5.1 you could do this on the switch:

interface fa0/1

description LINK_TO_RV042_VLAN10

switchport

switchport access vlan 10

no shut

and for the other interface on the RV042 - IP of 10.10.10.1 you could do this:

interface fa0/2

description LINK_TO_RV042_VLAN20

switchport

switchport access vlan 20

no shut

So now that they are isolated vlans, test to see if you can pick up an IP address from a PC. So if you had a PC you would also configure it as an access port e.g.

interface fa0/3

description ACCESS_PORT_VLAN10

switchport

switchport access vlan 10

no shut

Then see if you can ping the default gateway (RV042)

Since the RV042 is a router, we then need to find out if there is a way of blocking 'inter - interface/vlan routing' if that makes sense

Im not sure if this is achievable in packet tracer since the Linksys WRT isn't that inteligent.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

on the packet tracer, i am using an 1841.  i have everything as you stated, except i'm using static ip's for the 4 computers and the printer.  i have commo between all of the computers and printers, but not to the gateway.  i have this:  router - fa0/0 to vlan 2 fa0/1 on the switch, fa0/1 to vlan 1 fa0/7 on the switch.   switch:  fa0/2 pc1, fa0/3 pc2, fa0/4 pc3, fa0/5 to a dlink des 1105 switch, fa0/8 to wireless access point, fa0/7 to vlan 1.  this should put each vlan with a seperate connection from the router, from the router to vlan 1 i have 192.168.5.1 as the gateway, and to vlan 2 i have 10.10.10.1 as the gateway.  from the dlink switch, one port goes to pc4 and one port goes to a printer.  everything has static ip's, they go from 10.10.10.3/24 to 10.10.10.7/24 on vlan 2. 

th thing i won't know until i get back is if i can assign ip's from two different ranges (10.x.x.x and 192.x.x.x) on two different ports using dhcp.  i can assign static ip's in the router, so the 10.x.x.x on vlan 2 shouldn't be a problem, and all of the other ip's are going to be dhcp for customers and employees using iphones, etc.  i have the manual for the rv042 and will study this, but the crazy thing with the network is i cannot find a wireless access point in the building.  i have looked at all drops, and the only thing plugged into them are computers, a printer, and the dlink switch (des 1105), that according to documentation is not wi-fi capable. 

but more importantly, right now as is, i cannot ping the gateway from any computer.  they all ping each other, but they can't get the router.

this is the configuration:

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/6, Fa0/7, Fa0/8, Fa0/9

                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13

                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17

                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21

                                                Fa0/22, Fa0/23, Fa0/24

2    VLAN0002                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/5

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        0      0

2    enet  100002     1500  -      -      -        -    -        0      0

1002 fddi  101002     1500  -      -      -        -    -        0      0  

1003 tr    101003     1500  -      -      -        -    -        0      0  

1004 fdnet 101004     1500  -      -      -        ieee -        0      0  

1005 trnet 101005     1500  -      -      -        ibm  -        0      0  

Remote SPAN VLANs

------------------------------------------------------------------------------

interface FastEthernet0/1

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/3

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/4

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/5

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/6

switchport mode access

!

interface FastEthernet0/7

switchport mode access

!

interface FastEthernet0/8

switchport mode access

Hello Tim, with the 1841 we could do a lot more - however I've tried to keep it close as possible to what is at hand, configured this in PT so you can see what can be achievable with your scenario. Obviously seems quite limited with what you can do with your linksys.

This is the running config of the 1841:

ip dhcp excluded-address 10.10.10.1 10.10.10.100

ip dhcp excluded-address 192.168.5.1 192.168.5.100

!

ip dhcp pool VLAN20

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 8.8.8.8

ip dhcp pool VLAN10

network 192.168.5.0 255.255.255.0

default-router 192.168.5.1

dns-server 8.8.8.8

!

interface Loopback0

ip address 8.8.8.8 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.5.1 255.255.255.0

ip access-group FOR_VLAN10 out

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

ip access-group FOR_VLAN20 out

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

ip access-list standard FOR_VLAN10

deny 10.10.10.0 0.0.0.255

permit any

ip access-list standard FOR_VLAN20

deny 192.168.5.0 0.0.0.255

permit any

!

The switch just has vlan 10 and 20 with access ports - no trunks configured. Also for the sake of completeness, I included a wireless AP and connected a laptop and few other gadgets to it. So feel free to have a look around in the attached.

The access lists are to prevent from both vlans communicating with each other.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

i couldn't open the packet tracer, said it was the wrong version.  but i did get a chance to make the changes you posted and i could ping between the vlans.  i even went into the acl and took out the explicit allow and only allowed 192.168.5.0 0.0.0.0 but it didn't help.  i have included a pic of the layout that i am using.  i am going to work on this some more tomorrow, it really don't make sense how it is going on right now.  it looked good and it should have isolated the vlans.  i have the 192.x.x.x going to fa0/7 on vlan 10 and 10.x.x.x going to fa0/1 on vlan 20

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/9, Fa0/10, Fa0/11, Fa0/12

                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16

                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20

                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24

10   VLAN0010                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/5

20   VLAN0020                         active    Fa0/6, Fa0/7, Fa0/8

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

router:

!

ip dhcp pool vlan20

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 8.8.8.8

ip dhcp pool vlan10

network 192.168.5.0 255.255.255.0

default-router 192.168.5.1

dns-server 8.8.8.8

!

!

interface Loopback0

ip address 8.8.8.8 255.255.255.255

!

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.0

ip access-group for_vlan10 out

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.5.1 255.255.255.0

ip access-group for_vlan20 out

duplex auto

speed auto

!

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

ip access-list standard for_vlan10

deny 192.168.5.0 0.0.0.255

permit 10.10.10.0 0.0.0.255

ip access-list standard for_vlan20

deny 10.10.10.0 0.0.0.255

permit 192.168.5.0 0.0.0.255

!

Hi Tim, which version are you using please?

You have the ACLs the wrong way round. On the interface with 192.168.5.1 you need to block anything going to 10.10.10.0. And permit anything else, and same for the other interface. Also, you might have your links to the router in the wrong vlans too.

So on the interface I am saying deny going to the other network, but permit anything else.
Once I get the version you are using, then hopefully I can illustrate it more to you.

Hope this helps

Sent from Cisco Technical Support iPhone App

bill:  thank you for the advice and configuration.  this is very close to what i have.  i will try it out in a bit, the day has been too beautiful to waste inside on a computer, even for $$, outside playing with my son.  i forgot about using acl to further isolate the vlan, maybe this is why i didn't have commo with the gateway. 

pdriver:  thank you as well for this advice, i may have to use smaller subnets when i get there instead of two different ranges.

when i get a chance to confirm everything tonight, i will mark the thread as solved.