Routers
--
Questions
--
Followers
Top Experts
VLAN Setup using Cisco 1841 Router & layer 2 switches
OK, so I have an existing network that needs to be segregated. Due to cost and such, we are going to use VLAN's rather than physically separating the networks. The main internal router is a Cisco 1841 router and the switches are Dell Powerconnect 2724 switches. Attached is a JPEG of what the topology looks like.
Keeping in mind that I don't have any VLAN tags at all setup yet, How do I get the VLAN routing and DHCP routing etc for a setup such as this?
The cisco has two fast ethernet ports, one running with 10.20.21.0/24 and the other at 10.20.20.0/24 as well as a serial for the incoming internet. The desktops are all on 10.20.20.0 and the servers are also on 10.20.20.0. We are about to add the DMZ servers as we are no longer outsourcing, so they will probably be on 10.20.21.0. We want to keep the DMZ locked down, but still have access to it from the VLAN 1 (desktops) on 10.20.20.0. And we want the servers on 10.20.20.0 to exist on VLAN 10 for broadcast domain reasons, and to allow the DHCP server to also move over to VLAN 10 from the non existent VLAN it is at now.
And just to make sure it is clear:
Existing network subnets:
     FastEthernet 0/0 - 10.20.20.0 (ALL SYSTEMS)
     FastEthernet 0/1 - 10.20.21.0 (NOTHING YET)
Desired subnets and VLAN config:
     FastEthernet 0/0 - 10.20.20.0
         VLAN 1 - All internal desktops
         VLAN 20 - All internal servers - No access from outside or VLAN 21, but some access from VLAN 1
     FastEthernet 0/1 - 10.20.21.0
         VLAN 21 - DMZ
Let's see, what other info can I include to make a complete question... Oh yeah, our DHCP is a win server 2003, and the bridge between two of our buildings is only about 90% reliable. So perhaps I'll need to get a second router for cross-VLAN communication on the other side of the bridge.
Any help with the setup of the cisco router would be great! I am interested in how to add the vlans into the interfaces, as well as the vlan routing (I'm assuming I'll use IP-helper for allowing the DHCP requests to go through to the VLAN 10 where it will reside. Thanks a million!
Desired-setup.jpg
Keeping in mind that I don't have any VLAN tags at all setup yet, How do I get the VLAN routing and DHCP routing etc for a setup such as this?
The cisco has two fast ethernet ports, one running with 10.20.21.0/24 and the other at 10.20.20.0/24 as well as a serial for the incoming internet. The desktops are all on 10.20.20.0 and the servers are also on 10.20.20.0. We are about to add the DMZ servers as we are no longer outsourcing, so they will probably be on 10.20.21.0. We want to keep the DMZ locked down, but still have access to it from the VLAN 1 (desktops) on 10.20.20.0. And we want the servers on 10.20.20.0 to exist on VLAN 10 for broadcast domain reasons, and to allow the DHCP server to also move over to VLAN 10 from the non existent VLAN it is at now.
And just to make sure it is clear:
Existing network subnets:
     FastEthernet 0/0 - 10.20.20.0 (ALL SYSTEMS)
     FastEthernet 0/1 - 10.20.21.0 (NOTHING YET)
Desired subnets and VLAN config:
     FastEthernet 0/0 - 10.20.20.0
         VLAN 1 - All internal desktops
         VLAN 20 - All internal servers - No access from outside or VLAN 21, but some access from VLAN 1
     FastEthernet 0/1 - 10.20.21.0
         VLAN 21 - DMZ
Let's see, what other info can I include to make a complete question... Oh yeah, our DHCP is a win server 2003, and the bridge between two of our buildings is only about 90% reliable. So perhaps I'll need to get a second router for cross-VLAN communication on the other side of the bridge.
Any help with the setup of the cisco router would be great! I am interested in how to add the vlans into the interfaces, as well as the vlan routing (I'm assuming I'll use IP-helper for allowing the DHCP requests to go through to the VLAN 10 where it will reside. Thanks a million!
Desired-setup.jpg
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
My suggestion would be to create a trunk port from the Dell switche to the 1841. You will then need to configure a fastethernet interface with sub-interfaces (one for each vlan). You only need one conection from the swtiches to the router.
Then assign the ports on the Dell switches to the vlans you want.
This setup is call a "router on a stick"
here are the commands needed for the 1841
Â
Then assign the ports on the Dell switches to the vlans you want.
This setup is call a "router on a stick"
here are the commands needed for the 1841
Â
interface fastethernet 0/0.1
encapsulation dot1q 1 native
interface fastethernet 0/0.21
encapsulation dot1q 21 <--vlan number
ip address 10.20.21.1 255.255.255.0 <--this will be the default gateway for your devices on vlan 21
interface fastethernet 0/0.20
encapsulation dot1q 20
ip address 10.20.20.1 255.255.255.0
sounds easy enough, so let me ask some questions.
Say I move the systems (that should already be on the DMZ.... ahem...) to the DMZ and put them on 10.20.21.0 and configure each port they connect to to VLAN 21.
Then I just configure the VLANs for the internal servers to VLAN 20.
Is there anything I need to do for routing to restrict and/or allow the traffic to flow from VLAN 1 to VLAN 20 and back? And what about VLAN 21 routing?
Say I move the systems (that should already be on the DMZ.... ahem...) to the DMZ and put them on 10.20.21.0 and configure each port they connect to to VLAN 21.
Then I just configure the VLANs for the internal servers to VLAN 20.
Is there anything I need to do for routing to restrict and/or allow the traffic to flow from VLAN 1 to VLAN 20 and back? And what about VLAN 21 routing?
"Say I move the systems (that should already be on the DMZ.... ahem...) to the DMZ and put them on 10.20.21.0 and configure each port they connect to to VLAN 21.
Then I just configure the VLANs for the internal servers to VLAN 20."
yep that would be my suggestion.
Â
To block traffic between the vlans you can setup an ACL on the sub-interfaces to block and allow traffic.
Here is an example that blocks only vlan 21 traffic from entering  vlan 20. All other traffic is permited
Then I just configure the VLANs for the internal servers to VLAN 20."
yep that would be my suggestion.
Â
To block traffic between the vlans you can setup an ACL on the sub-interfaces to block and allow traffic.
Here is an example that blocks only vlan 21 traffic from entering  vlan 20. All other traffic is permited
ip access-list extended DENY_VLAN21
deny ip 10.20.21.0 0.0.0.255 10.20.20.0 0.0.0.255
permit any any
int f0/0.20
ip access-group DENY_VLAN21 out
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
So let's make sure i understand correctly. To go from what I have to what I need, I would do the following:
(on the router)
conf term
  int fa 0/0
     no ip address
     exit
  int fa 0/0.1
     encapsulation dot1q 1 native
     exit
  int fa 0/0.20
     encapsulation dot1q 20
     ip address 10.20.20.1 255.255.255.0
     exit
  int fa 0/1
     no ip address
     exit
  int fa 0/1.1
     encapsulation dot1q 1 native
     exit
  int fa 0/1.21
     encapsulation dot1q 21
     ip address 10.20.21.1 255.255.255.0
     exit
   exit
And since I already have an ACL for incoming to FastEthernet 0/0 and 0/1, just add my restrictrions from 10.20.21 subnet to 10.20.20.0 subnet like this:
access-list 102 permit  tcp 10.20.21.0  0.0.0.255 10.20.20.0  0.0.0.255 established
access-list 102 deny ip 10.20.21.0 Â 0.0.0.255 Â 10.20.20.0 Â 0.0.0.255
access-list 102 permit any any
Is that basically what subinterface config I need? The trouble I'm having is trying to use one physical interface with one subnet and VLAN set and the other physical interface with another VLAN set.
(on the router)
conf term
  int fa 0/0
     no ip address
     exit
  int fa 0/0.1
     encapsulation dot1q 1 native
     exit
  int fa 0/0.20
     encapsulation dot1q 20
     ip address 10.20.20.1 255.255.255.0
     exit
  int fa 0/1
     no ip address
     exit
  int fa 0/1.1
     encapsulation dot1q 1 native
     exit
  int fa 0/1.21
     encapsulation dot1q 21
     ip address 10.20.21.1 255.255.255.0
     exit
   exit
And since I already have an ACL for incoming to FastEthernet 0/0 and 0/1, just add my restrictrions from 10.20.21 subnet to 10.20.20.0 subnet like this:
access-list 102 permit  tcp 10.20.21.0  0.0.0.255 10.20.20.0  0.0.0.255 established
access-list 102 deny ip 10.20.21.0 Â 0.0.0.255 Â 10.20.20.0 Â 0.0.0.255
access-list 102 permit any any
Is that basically what subinterface config I need? The trouble I'm having is trying to use one physical interface with one subnet and VLAN set and the other physical interface with another VLAN set.
With your setup my suggestion is to only have one link between the router and your switches. If you have two links then you will need to configure bridge groups for the two trunk links.
Im not a big fan of bridge groups so i try to steer clear of them if possible. others might disagree though.
Â
Â
Im not a big fan of bridge groups so i try to steer clear of them if possible. others might disagree though.
Â
Â
Ok then two questions...
1) I do have to move my ACLs to the sub interfaces then to handle things and split up the acls for each VLAN
2) what about the routes? And for this question I have to ask because I have a VPN setup on this router that gives a 192.168.3.0 address for connected VPN sessions. is there anything else I need to do to allow/disallow AND ROUTE the traffic to get it to work?
1) I do have to move my ACLs to the sub interfaces then to handle things and split up the acls for each VLAN
2) what about the routes? And for this question I have to ask because I have a VPN setup on this router that gives a 192.168.3.0 address for connected VPN sessions. is there anything else I need to do to allow/disallow AND ROUTE the traffic to get it to work?
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
And FYI you are definitely getting the points, I appreciate your time!
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
No problem
Routers
--
Questions
--
Followers
Top Experts
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.