?
Solved

Cannot Route between 2 Vlans on CIsco 1801 Integrated Services Router

Posted on 2009-04-21
11
Medium Priority
?
1,734 Views
Last Modified: 2012-05-06
Hi,

I have a problem which is driving me crazy. I am just starting out with Cisco Equipment, and up until today, i have been doing quite well. My Setup is as follows:

ATM0.1 (Dialer1): Broadband is set up on this
Fast Ethernet 1: VLAN 1 is setup on this, and set to trunk mode
Fast Ethernet 2: VLAN 2 is setup on this, and set to trunk mode

VLAN 1: 192.168.5.0 - 192.168.5.255 (255.255.255.0)
VLAN 2: 192.168.10.0 - 192.168.10.255 (255.255.255.0)

An ethernet cable runs from Fast Ethernet ports 1 and 2 into the switch (which is a dumb (unmanaged) Gigabit Netgear Switch)

So what i am trying to achieve is to have the internal network on VLAN1, which everything is setup for at the moment, and have Guest WiFi Users on VLAN2. Currently i have a Belkin WIreless Access Point set up with an IP address on VLAN2, which runs back to Fast Ethernet 2 on the Router.

What i want to be able to achieve is to let all the DHCP broadcasts forwarded by the Wireless Access Point to be picked up by the cisco router on FE2 and passed across to FE1 where the DHCP server has a scope setup for this subnet, and assign it an ip address from the correct subnet. I was trying to use the ip helper-address command, however i just get an error message: % Invalid input detected at '^' marker.

From any computer on VLAN1, i can ping the interface of VLAN2. However, every client on VLAN2 is unable to even ping the interface of VLAN2, therefore from VLAN1 i am unable to ping any further than the interface of VLAN2, and from VLAN2 i am unable to ping anything at all!

I did wonder if this was anything to do with NAT being set up for VLAN1, enabling the users to be able to get out onto the web. The reason i think this is because before installing the router (it was in the lab with no internet connection and therefore no NAT) everything was great, and i had no such problems. The 2 VLANS could ping between each other and access resources on either network. IT only seems to be due to the introduction of NAT for users to access the internet, that this has happened. NAT is also set up for use on VLAN2, however with the users unable to even ping the interface of VLAN2, they cannot get out to the web either.

It may also be worth noting that i have set up most of this via the SDM as opposed to the command line, however i do have access to the command line via telnet. I having been slowing learning how to use this as i go along. I fully intend to learn this, however at the moment, i just need to be operational!

I have tried contacting Cisco, however they are not interested and state that my router which i bought 1 month ago has been out of warranty for 3 years. I am chasing the supplier on this at the moment.

Any comments or advise would be much appreciated.

Thanks.
0
Comment
Question by:sparky2156
  • 5
  • 5
11 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24193334
Can we see a "show run" from the router?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24193505
>Fast Ethernet 1: VLAN 1 is setup on this, and set to trunk mode
>Fast Ethernet 2: VLAN 2 is setup on this, and set to trunk mode
>
>An ethernet cable runs from Fast Ethernet ports 1 and 2 into the switch (which is a dumb >(unmanaged) Gigabit Netgear Switch)

You can't trunk to a device that doesn't support trunking.  The reason your VLAN1 devices seem to work is most likely because the native VLAN of the trunk is VLAN1 (native VLAN traffic is untagged and sent as plain ethernet frames).

0
 
LVL 3

Author Comment

by:sparky2156
ID: 24193742
donjohnston,

Thanks for the quick reply. In the lab before install, i had an unamnaged switch, and this was working.

If this is the case about the switch not supporting trunking, what would be the solution/workaround?

JFrederick29:


Building configuration...

Current configuration : 5591 bytes
!
! Last configuration change at 13:57:33 PCTime Tue Apr 21 2009 by administrator
! NVRAM config last updated at 10:37:37 PCTime Tue Apr 21 2009 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$sn1Z$GTOKdTRFmr5LeJN9oIntJ.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
ip domain name yourdomain.com
ip name-server 208.67.222.222
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-85242809
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-85242809
 revocation-check none
 rsakeypair TP-self-signed-85242809
!
!
crypto pki certificate chain TP-self-signed-85242809
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38353234 32383039 301E170D 30393034 32313130 33333232
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D383532 34323830
  3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C1FA
  E30D0786 555B9A4D C66E8807 7C7D7927 5E682104 71D97959 715C5441 49BC9BC1
  5D085903 036278B0 682F870F 2DC1B71A E863EE84 77E3D9F0 BF026340 B8DE8189
  5D1F06B4 ADB381B6 CEA721DD 45DB1514 34543A98 4B41B907 DFCFE0DB E7C42DF3
  3F647EAB 97CEDC1E 91A531E7 318C0BB1 8526CF73 8B58EEDB BADCF88D 346D0203
  010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104
  1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603
  551D2304 18301680 14FABEFA 8DF57C5C DBAF8790 8D21AA84 031FE1D8 7A301D06
  03551D0E 04160414 FABEFA8D F57C5CDB AF87908D 21AA8403 1FE1D87A 300D0609
  2A864886 F70D0101 04050003 818100B4 97E29AA9 C00295D7 693FA7F9 122D9EF6
  A69351D9 8F13511B EC63201B 744E486C 35BE488E CB87F038 B62AFA54 53CB6906
  8DFEEAA4 ACB08661 0B7F0813 6B30E753 0091975A 6A513AF2 9AAAB10D 5B12B418
  B4A5D390 CBF1DF2E 1BEEA443 8AD4AF9A FD40E3EC 20100007 F15DB7FC 8ACA8544
  3817194B 25830182 EBB18115 C615AF
  quit
username administrator privilege 15 secret 5 $1$I8gR$Xvt1ZJb0HF3QesPmr4FRH1
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet1
 switchport mode trunk
!
interface FastEthernet2
 switchport trunk native vlan 2
 switchport mode trunk
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.2 point-to-point
 no snmp trap link-status
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
 ip address 192.168.5.1 255.255.255.0
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Vlan2
 ip address 192.168.10.1 255.255.255.0
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address xx.xxx.xxx.xx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxx
 ppp chap password 7 13151601181B0B382F75
 ppp pap sent-username xxxxxxxxx password 7 0216054818110033481F
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source static tcp 192.168.5.130 443 interface Dialer0 443
ip nat inside source static tcp 192.168.5.130 25 interface Dialer0 25
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end


I have x'd out all of the WAN IP configuration details for security (as i am sure you can understand)

Thanks.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24193865
If your VLAN1 switch is plugged into FastEthernet1 and your VLAN2 AP is plugged into FastEthernet2, change the ports to access ports.

interface FastEthernet1
switchport mode access
!
interface FastEthernet2
switchport mode access
switchport access vlan 2
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24193882
You also need to apply the "ip helper-address x.x.x.x" command to the VLAN2 interface (not the FastEthernet2 interface).
0
 
LVL 3

Author Comment

by:sparky2156
ID: 24194376
I have made those changes as you have stated both via the SDM and through telnet, however the running config does not seem to be updated when i press control-z to save my changes.

The SDM shows the changes having taken affect, however if i select show running configuration from the menu, it shows me the following:

interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 2
 switchport trunk native vlan 2

which is a combination of what i had before and what i have entered.

Also, i have entered the ip helper-address command on the vlan2 interface and this has saved to the running config.

Thanks.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24194421
The changes took, you can remove this command if desired but it doesn't impact anything.

int fastethernet2
no switchport trunk native vlan 2

So, the switch is plugged into the F1 interface and the AP is plugged into the F2 interface, right?  Is it working now?
0
 
LVL 3

Author Comment

by:sparky2156
ID: 24194504
Yes that is correct. I am just going onsite now to see if this has resolved the issue. I will update shortly. Please stand-by
0
 
LVL 3

Author Comment

by:sparky2156
ID: 24197334
JFrederick29,

This configuration was perfect - setting the FE ports to access mode as opposed to trunking mode resolved the issue, and of course applying the ip address helper to the vlan2 as opposed to FE2 allowed the DHCP broadcasts to be passed over to the correct DHCP server, and since the routig between the VLANs was then up and running, everything kicked into life!

I cant thank you enough for your help, and hope that you dont mind in providing an explanation into why the FE ports were to be set u p in access mode as opposed to trunking mode? All the research i had done into inter-vlan routing had all stated that trunking mode was the way to do it.

I will also need to do some more research into configuring the firewall between the vlans, i.e. vlan and vlan2. All i want to be able to pass between these two vlans is strictly BOOTP Traffic (UDP ports 67 and 68?). It seems however that if i enable the firewall on the vlans, then it by default adds a whole load of permitted and denied ACEs. Really, i would like to configure all of these manually, and have more control over this. I know this is out of the scope of this question, but do you have any advice regarding this?

I will award the full points to yourself for the resolution of this issue. Thank you, and i apologise for asking what i am sure was a very simple and perhaps frustrating question to a well qualified cisco engineer!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24197408
>why the FE ports were to be set u p in access mode as opposed to trunking mode?
You would only trunk if you were carrying multiple VLAN's over one physical link.  So if you had a trunk capable switch connected to FastEthernet1, you could trunk with the router and send both VLAN1 and VLAN2 traffic over one physical link.  In your case, since only two VLAN's are in use, using the two physical routers interfaces (one for each VLAN) accomplishes the same thing but physically versus logically.  You will want to look into a trunking capable switch if you want to add other VLAN's in the future which will allow you to expand beyond the two you have now.

As far as controlling traffic between VLAN's.  If all you want to allow is DHCP traffic, I would use a simple access-list to restrict the traffic.

Glad to help!
0
 
LVL 3

Author Closing Comment

by:sparky2156
ID: 31572688
Very fast response, excellent examples and communication. Thanks
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question