Solved

Help needed with Cisco 1721/WIC4ESW setting up a VLAN

Posted on 2004-09-15
14
1,141 Views
Last Modified: 2008-01-09
Hi,

I have a Cisco 1721 router and the 4-port 4ESW WIC in the back.

I have 4 servers that will form a test network.

What I want to do is connect the 4 test servers (one in each port of the 4ESW) and have them as a VLAN - demarked from my production LAN.

Then I just need to be able to route between the the VLAN and LAN

The router's ethernet port will be plugged into the LAN.

Can anyone help me with the config.
0
Comment
Question by:yvsupport
  • 7
  • 6
14 Comments
 
LVL 2

Expert Comment

by:jasperomalley
Comment Utility
Good news, this is the default configuration. That is, all of the switchports are in the default VLAN (VLAN 1), and traffic is not automatically bridged between the switchports and the integrated Fast Ethernet port on the router (FastEthernet0). All you have to do is define an IP address for the default VLAN's switch virtual interface (SVI), using the configuration mode commands:

interface vlan 1
   ip address ip_address netmask

where ip_address/netmask is in a different IP network than the one connected to FastEthernet0.  Unless you tell it not to, the router will route traffic between FastEthernet0 and VLAN1, so just make the default gateway on the servers the ip_address above.


0
 
LVL 8

Expert Comment

by:holger12345
Comment Utility
Question: Why do you want to create a virtual LAN? If all 4 Ports on the WIC are used to be in this "VLAN" you could leave them as is...
Just give them another network-IP as the internal LAN-Port has and route them the normal way to set up a routing.

Did you set up something and have problems with it, or dont you know how to configure cisco?

Holger
0
 

Author Comment

by:yvsupport
Comment Utility
holger12345

i want them in a vlan so I can chose not to forward udp. there will probably be a lot of traffic generated on the test network and I dont want to affect the performance of the production LAN.
0
 

Author Comment

by:yvsupport
Comment Utility
jasperomalley

I have added this.

do i need any ip route commands to tell it to route between the two?

also can anyone tell me what these command does?

no aaa new-model
0
 
LVL 2

Expert Comment

by:jasperomalley
Comment Utility
No, you don't need any ip route command to tell it to route between the two connected networks, but if you have any other networks you want the servers on the VLAN to be able to access beyond the router, you will need to add those routes to the router.

no aaa new-model shuts off authentication, authorization, and accounting (AAA). This is the default setting for a router (AAA off). For more mind-numbing detail about what AAA is and what it's used for, see:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfaaa.htm
0
 

Author Comment

by:yvsupport
Comment Utility
here's my config so far then....

Can anyone see anything wrongly configured or missing?



Current configuration : 796 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TestNWRouter
!
enable secret 5 $1$4sA/$sPILAwYaI/6tAYts0SRTg1
enable password ******
!
no aaa new-model
ip subnet-zero
no ip routing
!
!
!
!
no ftp-server write-enable
!
!
!
!
interface FastEthernet0
 ip address 172.16.2.252 255.255.0.0
 no ip route-cache
 speed auto
 full-duplex
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface Vlan1
 ip address 10.220.12.254 255.255.0.0
 no ip route-cache
!
ip classless
!
ip http server
!
!
line con 0
line aux 0
line vty 0 4
 password *****
 login
!
no scheduler allocate
!
end
0
 
LVL 2

Expert Comment

by:jasperomalley
Comment Utility
Yes. This command:

   no ip routing

is what's wrong. Enter:

   ip routing

in configuration mode.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:yvsupport
Comment Utility
thought so.

does this stop ip routing by any chance?
0
 
LVL 2

Expert Comment

by:jasperomalley
Comment Utility
Yes, "no ip routing" stops IP routing.
0
 

Author Comment

by:yvsupport
Comment Utility
I can now ping the vlan address 10.220.12.254

I cant ping the PC on the other side. ip details:

address 10.220.4.1
netmask 255.255.0.0
gateway 10.220.12.254


any ideas?



0
 
LVL 2

Expert Comment

by:jasperomalley
Comment Utility
Can you ping 10.220.12.254 from this PC?
0
 

Author Comment

by:yvsupport
Comment Utility
sorted - pc had a bad nic.

finally - how can I block UDP and are there any other config tips anyone may have that will contain as much traffic to the vlan as poss?
0
 
LVL 2

Accepted Solution

by:
jasperomalley earned 500 total points
Comment Utility
Is there any reason you want to block UDP, specifically? Broadcasts will already be contained to the VLAN, so you don't have to worry about them bleeding onto your production LAN. If you really, really want to block all UDP traffic from the VLAN to the LAN, do:

ip access-list 101 deny udp 10.220.0.0 0.0.255.255 any
ip access-list 101 permit ip any any
interface fastethernet0
   ip access-group 101 out

If you want to block more traffic from passing between the LANs, you'll need to define with specificity what sort of traffic you want blocked and what sort of traffic you want to allow.
0
 

Author Comment

by:yvsupport
Comment Utility
yeah - I see your point. it's the broadcast's I need to contain.

If any test apps require UDP it would give me a new set of issues.

i am happy with this.

I shall award you 500 shiney new points to add to your collection!

Thanks.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now