Basic Cisco 1800 Routing

you will need to use static route statements with an inverse mask to accomplish this. The tricky part is splitting your class C subnet in between two links. You are not going to be able to split the subnet at .200 but you can split it either at .192. or 224. I will use .192 in my example

ip route 10.0.2.0 0.0.0.63 intf0/1 <--routes all traffic with an ip above 10.0.2.192 to intf0/1
ip route 0.0.0.0 0.0.0.0 intf0/0 <--default route that sends all other traffic to intf0/0

I get Inconsistent address and mask when I enter

ip route 10.0.2.0 0.0.0.63

????

Also how do I setup the access list/s to overload each interface?

Ben

ip route 10.0.2.0 0.0.0.63 fastethernet1 Sorry

use the mask 255.255.255.64

by the way, you can only cut your 254 addresses (from .1 to .254) in 2, or in 4 or in 8 etc...

To make 2 subnets, the mask is : 255.255.255.128
4 subnets : 255.255.255.64
8 subnets : 255.255.255.32

Same error with .64

Sorry about that i was thinking cisco static routes accepted inverse mask. Dorianm is right use 255.255.255.64.

Sorry, I got mixed up. The masks are :
1 subnet ( 254 addresses ) : 255.255.255.0
2 subnets ( 2 * 126 addresses ) :  255.255.255.128
4 subnets ( 4 * 62 addresses ) : 255.255.255.192
8 subnets ( 8 * 30 addresses ) : 255.255.255.224

Well i only need to cut it into two, the first half will be DHCP and will run over fe0 and ther other IP's will be set statically on the PC's and run over fe1.

What are the commands I need to use to implement this then? Will the local PC's all still run on a 255.255.255.0 subnet?


Ben

Well, do you want the PC using the DHCP to be in the same local network as those with static IP's ?

If not, then use the mask 255.255.255.128 on every PC.

If you do, then don't cut the network in 2, but add some rules so that the outgoing traffic that comes from IP .1->.127 is routed to one ethernet interface, and the outgoing traffic that comes from .129 -> .254 goes through interface 2

I want them all to be on the same local network.

How do I configure the rules and routes for this?

Do I still need to do the 10.0.2.0 255.255.255.128 fe0

and

0.0.0.0 0.0.0.0 fe1

????

Ben

?

To overload your interfaces you will need to set up nat

int f0/2 <--lan interface
 ip nat inside

int f0/0 <--internet interface 1
 ip nat outside

int f0/1

I think we need to start again at the start. The first question needs to be why do you want to split a subnet that you want to stay on the same network with a router?

It can be done, but I need to question your reasons first.

Sorry guys I have been away for the weekend.

I will try that1guy15 last post in a minute.

Basically I have an office network including file server etc and some video encoders/decoders. I need them all to be on the same internal network (10.0.2.1-255) but the office PC's + file server need to use FE0 for internet access and the encoders/decoders need to use FE1 for internet access.

The office PC's can pick up their IP's via DHCP, so my idea was to DHCP half the available address to them, and set the encoders/decoders with static addresses on the 2nd half of the range.

So basically....

The 1st half of the address range needs to go out through FE0 and then the second half needs to go out through FE1.

If I use the command

ip route 10.0.2.0 255.255.255.192 intfe1

it crashes the router!

Also Routes never seem to work with the interface, i have to use the next hop address (the interfaces gateway)

Any ideas..........

Anyone...............?????????

Your routes could either be configured with next hop address or interface.

I know several of us have mentioned it before but the best way to set your network up would be to separate the network into two subnets. servers on one and encoders/decoders on another. This could be accomplished with vlans and then you could allow traffic to flow between the two vlans at the router if your switch is not layer 3. This will greatly simplify the routing of internet traffic for you and it will also help minimize traffic on each vlan while still allowing all communication to flow between the servers and encoders/decoders.

If you wanted you could take your already existing subnet (10.0.2.0/24) and break it into two subnets which would be :

10.0.2.0/128 = 10.0.2.1 - 10.0.2.126
10.0.2.1/128 = 10.0.2.129 - 10.0.2.254

if you need larger subnets then you could just simply use
10.0.2.0/24
10.0.3.0/24

Just my thoughts

Well that1guy15 your previous suggestion kinda works! if you run a ping then change the ip address it goes over the 2nd FE port but then when you try and use it for internet, email etc it does not work stably.

How would I go about configuring the Cisco from scratch with

10.0.2.0/24
10.0.3.0/24

Allowing communication between the two at the same time?

Sorry, I am a novice at this!

Ben

Actually -

10.0.2.0/128 = 10.0.2.1 - 10.0.2.126
10.0.2.1/128 = 10.0.2.129 - 10.0.2.254

might be better!

How do I go about this?

What is the make and model of the switch you have? is it manageable?

It's a Cisco 1811 Router

Right, but what switch do you have that connects your servers to your router?

Oh ok, well there is the 8Port switch in the router which will then be plugged into a £30 3com, so nothing special! Everything need to be done on this Cisco alone really.

Ben

The switch interfaces on the router can be configured into seperate vlans. So to help you out on this please explain your setup a little more. Do all devices connect directly to the router or do some connect to the router and some to the 3com you mentioned? Please explain this a little further.

Thanks

The idea was to connect the 3com to the router and plug all the PC's/Server/Encoders directly into the 3Com. But if I really needed to I could use Port 1 on the switch for the 3COM and the other 7 ports for the encoders etc if that would help?

Unless the 3com can have multiple vlans you can not run everything through it. Do you know if the 3com is manageable? If it is not then you will either need to get another switch or run one vlan through the 3com and connect everything else to the switch ports on the router (if you have enough ports)

No its not manageable.

I will have enough ports if I use port one for the 3COM (Plugging all the office/server in) the use ports 2-8 for encoders/decoders!

How would I set this up?

What devices do you want on the 10.0.2.1 subnet and what decices on the .2.128 subnet?

I want all the office PC's/File server on the 10.0.2.1 subnet and just the encoders/decoders on the 2.128 subnet.

Im assuming int f0/0 and 0/1 are your router ports and 0/2 - 0/9 are your switch ports. If not you will need to change this up some.

int f0/0
 ip nat outside

int f0/1
 ip nat outside

int vlan1
 ip address 10.0.2.1 255.255.255.128   <--configures vlan1 for your servers/workstations
 ip nat inside
 no shut

int vlan2
 ip address 10.0.2.129 255.255.255.128   <--configures vlan1 for your encoders/decoders
 ip nat inside
 no shut

int f0/2        <--removes nat on the interface (this will be handled by the vlan now)
 no ip nat inside

int range f0/3 - f0/9
 switchport access vlan 2           <--assigns ports f0/3 - f0/9 to vlan2
 no shut
 

int f0/2
 switchport access vlan 1       <---assigns port f0/2 to vlan1 (this is the port to plug your 3com to)
 no shut


no access-list 1 permit 10.0.2.0 0.0.0.63 <--removing the access list we created before
no access-list 2 deny 10.0.2.0 0.0.0.63
no access-list 2 permit 10.0.2.0 0.0.0.255

no ip route 10.0.2.0 255.255.255.192 intf0/1 <-- removing the route statement from before
no ip route 0.0.0.0 0.0.0.0 int f0/0


access-list 1 permit 10.0.2.0 0.0.0.128    <-- access lists for nat
access-list 2 permit 10.0.2.128 0.0.0.128

ip nat inside source list 1 interface f0/0 overload <--everything with address below 192 will go to f0/0
ip nat inside source list 2 interface f0/1 overload <--everything with address above 192 will go to f0/1

ip route 10.0.2.0 255.255.255.128 intf0/0 <--new route statements
ip route 10.0.2.128 255.255.255.128 int f0/1


That should be it. VLAN routing should be on by default but i would test to make sure you can route between vlans. Also since this is a lower end model of router, if you have a large amount of traffic going between the two vlans you might see a large amount of CPU utilization on your router. THis could cause slow connections between the two vlans.

You will need to set up all your servers and workstations with the ip's 10.0.2.2 - 10.0.2.126 with a mask of 255.255.255.128. If they are all DHCP then you can simply change the scope on your DHCP server and have them renew their IP. If static then you will need to change manually.

All incoders/decoders (on the second vlan) will need to have their mask change to 255.255.255.128 as well. Also make sure their IPs fall in the range of 10.0.2.130 - 10.0.2.254.

I am going to send the router back to default settings and start again from scratch.

I will be back once this is done (about 30mins)

Thanks for all your help so far!

Ben

It has a problem with this -

access-list 2 permit 10.0.2.128 0.0.0.128

it adds it as

access-list 2 permit 10.0.2.0 0.0.0.128

Basically the same as access-list 1

Also when I do

int range f0/3 - f0/9
 switchport access vlan 2          
 no shut

It does not understand the int range, but that is not important as I can configure fe3 then plug another unmanaged switch into it cant it?

It also says vlan2 should be added to the vlan database when I enter switchport access vlan2.

Hope this makes sence?

Ben

Any ideas on this?

Sorry this is taking a bit more effort that I thought it would!

change access-list 2 permit 10.0.2.0 0.0.0.128 to access-list 2 permit 0.0.0.0 0.0.0.0. This will work the same.

if the range command is not supported you will need to run those command on each interface one at a tiime. Make sure with the range command that there is a space before and after the "-".

Make sure to run

int vlan2
 ip address 10.0.2.129 255.255.255.128   <--configures vlan1 for your encoders/decoders
 ip nat inside
 no shut

before

int range f0/3 - f0/9
 switchport access vlan 2           <--assigns ports f0/3 - f0/9 to vlan2
 no shut

I take it you need them to be on separate interface for policy-routing reasons, otherwise I can't think of a good reason still to do this. Here's a simpler suggestion that should solve your problem. On your router:

bridge irb
bridge 1 protocol ieee
interface FE0
 bridge-group 1
interface FE1
 bridge-group 1


that effectvely turns these two ports into a switch. You can then configure the layer 3 interface, if need like so:

interface bvi 1
 ip address 10.0.2.1
bridge 1 route ip


You can then apply your policy routing (or whatever else) as needed.

that1guy15 what will the gateway for the PC's etc be? Will it still be 10.0.2.1 regardless of the subnet split? Where do I need to configure the gateway address for the router?

fileinster I do not really understand your idea. Please could you explain in a little more detail?

Thanks guys!

Ben

No each computer will use the vlan address configured on the router for that devices vlan. So your encoders/decoders will use 10.0.2.129 and your servers/workstations will use 10.0.2.1

You will not need to configure a gateway for the router since you have two paths out. Technically since you have a route statement that points everything out one specific interface (ip route 0.0.0.0 0.0.0.0 f0/1) that will be your route of last resort if all other routes do not apply.

Ok I will try that now.

I have been playing around with this config -

conf term

interface fastethernet0
ip address *.*.157.113 255.255.255.248
ip nat outside
no shutdown
exit

interface fastethernet1
ip address *.*.248.5 255.255.255.248
ip nat outside
no shutdown
exit

interface vlan1
ip nat inside
exit

access-list 1 deny   10.0.2.0 0.0.0.63
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 2 permit 10.0.2.0 0.0.0.63

ip nat inside source list 1 interface fastethernet0 overload
ip nat inside source list 2 interface fastethernet1 overload

ip route 0.0.0.0 0.0.0.0 *.*.157.118
ip route 0.0.0.0 0.0.0.0 *.*.248.1

It is really frustrating because on a ping, the system works perfectly, it is just very temperamental when you try to do anything else, unless you remove the route you are not using (depending what side of the private addressing you are on)

I will have a go at the last config again now, it looks something like this -

conf term

interface fastethernet0
ip address *.*.157.113 255.255.255.248
ip nat outside
no shutdown
exit

inferface fastethernet1
ip address *.*.248.5 255.255.255.248
ip nat outside
no shutdown
exit

interface vlan1
ip address 10.0.2.1 255.255.255.128
ip nat inside
no shutdown
exit

interface vlan2
ip address 10.0.2.129 255.255.255.128
ip nat inside
no shutdown
exit

interface fastethernet2
switchport access vlan 1
no shutdown
exit

interface fastethernet3
switchport access vlan 2
no shutdown
exit
 

access-list 1 permit 10.0.2.0 0.0.0.128    
access-list 2 permit 0.0.0.0 0.0.0.0

ip nat inside source list 1 interface fastethernet0 overload
ip nat inside source list 2 interface fastethernet1 overload

ip route 10.0.2.0 255.255.255.128 *.*.157.118
ip route 10.0.2.128 255.255.255.128 *.*.248.1

The new idea just refuses to work, I can't even got out from inside the router.

The old idea is teh closest it just seems to be the 2 routes in there together that cause the problem!

Any ideas?

Ben

Try this:

ip route 10.0.2.0 255.255.255.128 *.*.157.118 <-- all traffic from 10.0.2.0/128 goes to .157.118
ip route 0.0.0.0 0.0.0.0.128 *.*.248.1 <---all other traffic goes to .248

I tried putting that in and it crashed the router and locked me out (even on pings to 10.0.2.1)

Will you post your current show run please.

You can't have asterisks in a route; you are removing them and filling in the blanks, aren't you?


My idea meant the two router ports could be on the same subnet and you didn't have to split them into 2 separate subnets. If your design allows you to split them, do that as it's a far better design. IRB should only be used as a last resort.

What IRB does is instead of the router's ports being layer 3 it makes them layer2 and they act like a switch. Does that make sense?

Yea i am filling in the * with the relevant IP information.

The current running config is -

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *******
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.2.101 10.0.2.254
ip dhcp excluded-address 10.0.2.1
!
ip dhcp pool sdm-pool1
   import all
   network 10.0.2.0 255.255.255.0
   dns-server 213.120.62.97 80.255.35.180
   default-router 10.0.2.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name informationtv.tv
ip name-server 213.120.62.97
ip name-server 80.255.35.180
ip ssh time-out 60
ip ssh authentication-retries 2

!
interface FastEthernet0
 ip address *.*.157.113 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 ip address *.*.248.5 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 10.0.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 *.*.248.1
ip route 0.0.0.0 0.0.0.0 *.*.157.118
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 deny   10.0.2.0 0.0.0.63
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 2 permit 10.0.2.0 0.0.0.63
no cdp run
!
!
!
!
!
!
control-plane
!
banner exec ^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Any ideas guys?

if there is any way of me giving you guys more points for a solution on this I will!

Thanks for everything so far!

Ben

One thing I have just tried is putting a

ip route 0.0.0.0 0.0.0.0 *.*.157.118 2

for all normal traffic, then put in specific routes for the second line, for example

ip route 66.28.242.204 255.255.255.255 *.*.248.1

It seems to work stably, but it's not ideal! Does anyone have any other suggestions on this?

Ben

Yea that makes sence! Well I have created ACL's and applied static routes and it seems to work fine. The specific routes will never be used by the local network anyway so they will always use the default route.

I am going to start a new question on NATing the public IP address to an internal IP, so if you know anything about that please have a look!

Thanks for all your help!

Ben