Link to home
Start Free TrialLog in
Avatar of bslattery
bslatteryFlag for United States of America

asked on

Cisco 1700 series router (1711) and vlan configuration/routing

NOTE: I am probably the biggest n00b you will assist in this matter.  I have read the complete documentation on the router and the Cisco IOS software skills documentation. I understand the 6 Command Modes of the IOS, but as far as routing and Cisco hardware goes, thats about all I know.

Task:  Create 4 vLans on the 1711. Allow vlan1 to route to vlan2, vlan3 and vlan4.  Allow vlan2, vlan3, and vlan4 to route to vlan1.  DO NOT allow routing between vlan2, vlan3 and vlan4.  Allow vlan1-vlan4 to route to the WAN interface.

What I have done so far:  Created the 4 vlans, assigned ip addresses to them and also the WAN interface.  vlan1=10.10.1.1 /24 on fa1, vlan2=10.10.2.1 /24 on fa2, vlan3=10.10.3.1 /24 on fa3, vlan4=10.10.4.1 /24 on fa4.  WAN interface=172.16.0.190.  I have connected a Win2kPro machine to each fa(1-4) interface and statically assigned an appropriate ip for the vlan (i.e. machine connected to fa1(vlan1) ip=10.10.1.2, machine on vlan2=10.10.2.2 etc) the machine is connected to.  Nothing is connected to the WAN interface at this time.

After reading the documentation, I figure the next step is to configure the vlan routing using 802.1Q encapsulation, but several attempts fail miserably.  Can someone, anyone, walk me through the steps required to complete the task listed above?

At this point I cannot ping the router's interfaces from any of the machines.

I am configuring the router via the console port.  Here is the current config (i do not believe anything in this config is sensitive, but let me know if I should have excluded something from the posted config)

IN THE CONFIGURATION, THE WAN INTERFACE IS VLAN1, I UNDERSTAND AND ACCOUNT FOR THAT.

Current configuration : 1605 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname eng_tst_rtr
!
logging queue-limit 100
logging buffered 51200 warnings
enable secret 5 $1$Vo4I$c77zb6ZB7w1.yru7B9B170
!
ip subnet-zero
!
!
no ip domain lookup
ip domain name yourdomain.com
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
 no cdp enable
!
interface FastEthernet2
 switchport access vlan 3
 no ip address
 no cdp enable
!
interface FastEthernet3
 switchport access vlan 4
 no ip address
 no cdp enable
!
interface FastEthernet4
 switchport access vlan 5
 no ip address
 no cdp enable
!
interface Async1
 no ip address
!
interface Vlan2
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan3
 ip address 10.10.2.1 255.255.255.0
!
interface Vlan4
 ip address 10.10.3.1 255.255.255.0
!        
interface Vlan5
 ip address 10.10.4.1 255.255.255.0
!
interface Vlan1
 ip address 172.16.0.190 255.255.0.0
!
ip classless
ip http server
ip http authentication local
ip http secure-server
!
!
no cdp run
!
!
line con 0
 exec-timeout 5 0
 password xxxxxxxxxx
 login
line 1
 flush-at-activation
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 5 0
 privilege level 15
 password xxxxxxxxxxxxx
 login
 transport input telnet ssh
line vty 5 15
 privilege level 15
 password xxxxxxxxxxxxxxxxxxx
 login
 transport input telnet ssh
!
!
end



My very sincere thanks in advance for the person with the patience to assist me.

Respectfully,
bslattery
Avatar of epylko
epylko
Flag of United States of America image

There might be two ways to do this.

The first, based on your configuration already, would be to add the command 'switchport' to each of the FE interfaces. They might still be thinking they are routed ports, not switchports.

The second would be to assign the IP address directly to the interface instead of using VLANs.

You don't need dot1Q encapsulation - that would be if you were connecting a physical port to something like a Catalyst switch and you were trunking the port.

To prevent routing to/from the interfaces you have, you'll have to create an access list and apply it to each interface. For example, to block VLAN 2 going to VLAN 3 and 4:
access-list 100 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 100 deny ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 100 permit ip any any
int Vlan 3
ip access-group 100 in

do the same thing (but with a different ACL #) for VLAN 3 and 4

Finally, does this switchport module support Private VLANs? That might make your life much easier if the router supports it (it works on Catalyst switches)

-Eric

Avatar of td_miles
td_miles

Are you connecting the 4 fast ethernet ports up to other switches that have the VLAN's running on them ? If so then you need to use some sort of trunking protocol (etherchannel, ISL, or 802.1q) to share the VLAN info with the switches. If so, then have a look at this config, for the path you will need to take:

http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a0080094b0a.shtml
http://www.cisco.com/en/US/products/hw/routers/ps272/products_configuration_guide_chapter09186a00800c796e.html

If you can connect each router port to a seperate switch and only plug in devices on that network to that switch, then skip the whole VLAN thing and just use normal ACL's.
Avatar of bslattery

ASKER

Thank you td miles and epylko..

I am researching both posts to ensure I understand and have the hardware/configuration that is suggested.

Your patience is sincerely appreciated.

Respectfully,
bslattery
Dear Sirs,

Sorry for the delay in responding as I have been away for a business week.

I am unable to set IP addresses for the 4 ethernet ports.  The IOS responds with cannot set ip address for L2 ports.  It does however allow me to set an ip address for the single WAN port.

I have ensures that I set the fa/x ports to switchmode but still cannot assign ip addresses.

Can you recommend my next step in this situation?

Sincerely,
bslattery
Try this command on each interface:

no switchport

also, do a "no switchport access vlan X" to get rid of all VLAN configuration on the ports.

Once the ports are not in L2 mode you should be able to configure the interfaces

-Eric
Hello epylko,

Thanks again for your help...

Attempting a "no switchport" on each interface results in a "% Incomplete command"

However, the "no switchport access vlan x" was successful in removing vlan assignment to the corresponding interface.

But I still receive the "% IP addresses may not be configured on L2 links" message when I try to assign 10.10.1.1 255.255.255.0 to fa1.

Here is my current Config.  What am I doing wrong?

Current configuration : 1475 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname eng_tst_rtr
!
logging queue-limit 100
logging buffered 51200 warnings
!
ip subnet-zero
!
!
no ip domain lookup
ip domain name yourdomain.com
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!        
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
interface Async1
 no ip address
!
interface Vlan5
 ip address 10.10.4.1 255.255.255.0
!
interface Vlan4
 ip address 10.10.3.1 255.255.255.0
!
interface Vlan3
 ip address 10.10.2.1 255.255.255.0
!
interface Vlan2
 ip address 10.10.1.1 255.255.255.0
!
interface Vlan1
 ip address 172.16.0.190 255.255.0.0
!
ip classless
ip http server
ip http authentication local
ip http secure-server
!
!
no cdp run
!
!
line con 0
 exec-timeout 5 0
 password x xxxxxxxxxxxxxxxxxx
line 1
 flush-at-activation
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 5 0
 privilege level 15
 password x xxxxxxxxxxxxxxxxxxx
 no login
 transport input telnet ssh
line vty 5 15
 privilege level 15
 password x xxxxxxxxxxxxxxxxxxxxx
 no login
 transport input telnet ssh
!
no scheduler allocate
!
end

Sincere Thanks,
bslattery


Sorry, I also removed the ip addresses from the vlans.  Didn't notice until I posted teh config.

Sincerely,
bslattery
Is anybody still monitoring this question?  I still need assistance!

Should I repost to get new assistance?

How would I close this question in that case?

Sincerely,
bslattery
ASKER CERTIFIED SOLUTION
Avatar of td_miles
td_miles

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks td miles,  I had asked my vendor for a layer-3 product on all the ports, not just the WAN port.  And I could not find a definitiave spec that stated the 4-ehternet ports were layer 2.

Thaks again

Sincerely,
bslattery
Well, that product does do L3 on all ports, you just have to do it via VLANs. The 2nd URL listed by td_miles has a configuration for the whole thing. Something like this would work:

vlan dat
! vlan 1 is the default vlan
vlan 2 name Vlan2
vlan 3 name Vlan3
exit

config t

int fast 1
switchport access vlan 1
spanning-tree portfast
int fast 2
switchport access vlan 2
spanning-tree portfast
int fast 3
switchport access vlan 3
spanning-tree portfast
int vlan 1
ip add ...
no shut
int vlan 2
ip add ...
no shut
int vlan 3
ip add ...
no shut
^Z
wr mem

As long as you put the right hosts on the right vlans it should work fine

-Eric
Hi,

I think I jumped the gun, it would appear that it _should_ do Layer-3 routing. On the first second of the two links I have above, it says:

========
The 4-port 10/100BASE-TX Ethernet switch is a Layer 2 Ethernet switch with Layer 3 routing capability, and supports a maximum of 16 VLANs. (Layer 3 routing is forwarded to the host, and is not actually performed at the switch.)
========

So epylko is probably correct. Should we go back to trying to work out why your config is not working ?
As it says in the above description, the switch module itself doesn't do the Layer-3 routing, but it forwards it to the host (the router). It may be that it just need an IP on the FastEthernet0 (the router's ethernet) interface for it to be able to do the routing ?

If you'd like to get the answer unaccepted & the question reopened, you can do so:
https://www.experts-exchange.com/help.jsp#hi17

Again, my apologies.