nkewney
asked on
Configuring VLANs on a Cisco 877 router
Dear Experts,
I'm relatively new to Cisco gear and have set up a router config below:
I've created two Vlans (Vlan1 and Vlan 2)
I'd like to keep them completely seperate, i.e. Vlan 1 is only accessible to the switch plugged into FastEthernet0 and Vlan 2 is only accessible to the switch plugged into FastEthernet1.
However, I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only.
If anybody could give me any advice on this config, I'd really appreciate it!
Thanks
Nick
I'm relatively new to Cisco gear and have set up a router config below:
I've created two Vlans (Vlan1 and Vlan 2)
I'd like to keep them completely seperate, i.e. Vlan 1 is only accessible to the switch plugged into FastEthernet0 and Vlan 2 is only accessible to the switch plugged into FastEthernet1.
However, I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only.
If anybody could give me any advice on this config, I'd really appreciate it!
Thanks
Nick
CISCO877#sh run
Building configuration...
Current configuration : 5973 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO877
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3641892774
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3641892774
revocation-check none
rsakeypair TP-self-signed-3641892774
!
!
dot11 syslog
ip cef
!
!
ip domain name XXX
ip name-server XXX
!
!
!
username admin privilege 15 secret 5 xxx
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
description BT ADSL connection
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-DATA-NETWORK$
ip address 192.168.16.1 255.255.255.0
ip access-group 122 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description $ETH-VOICE-NETWORK$
ip address 172.16.16.1 255.255.255.0
ip access-group 133 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXX@hg23.btclick.com
ppp chap password 0 XXXXXX
ppp pap sent-username XXX8@hg23.btclick.com password 0 XXXXXX
ppp ipcp dns request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip flow-top-talkers
top 5
sort-by bytes
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended NAT
permit ip 192.168.16.0 0.0.0.255 any
!
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 122 permit ip 192.168.16.0 0.0.0.255 any
access-list 133 permit ip 172.16.16.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
ASKER
That's great - thanks.
I don't have to assign the VLANs to particular FastEthernet ports in the config?
Thanks
Nick
I don't have to assign the VLANs to particular FastEthernet ports in the config?
Thanks
Nick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
anoopkmr your suggestion is incorrect:
access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255
If he enters those lines he will only be allowing port 80 though and all other traffic, regardless of the destination will be denied. Remember IOS has a default deny.
access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255
If he enters those lines he will only be allowing port 80 though and all other traffic, regardless of the destination will be denied. Remember IOS has a default deny.
i think that is the requrement ,
nkewney,
u can avoid the line
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255
try my comments only the other solutions didn't work
Since he also has NAT rules, would you not assume that he wants the hosts on both VLAN's to be able to send traffic out through the dialer0 interface? ;)
ASKER
Thanks for your help both.
I'm a bit confused now.
I want the switch that's connected to VLAN1 (with hosts 192.168.16.0/24) to only be allowed through FastEthernet0
I want the switch that's connected to VLAN2 (with hosts 172.16.16.0/24) to only be allowed through FastEthernet1
I want the two networks to be completely seperate, with the exception of port 80 between the two networks.
Vlan2 does not need access to the Internet
Vlan1 does!
Hope this clears things up.
Thanks again for your help!
Nick
I'm a bit confused now.
I want the switch that's connected to VLAN1 (with hosts 192.168.16.0/24) to only be allowed through FastEthernet0
I want the switch that's connected to VLAN2 (with hosts 172.16.16.0/24) to only be allowed through FastEthernet1
I want the two networks to be completely seperate, with the exception of port 80 between the two networks.
Vlan2 does not need access to the Internet
Vlan1 does!
Hope this clears things up.
Thanks again for your help!
Nick
ASKER
Actually, scratch that - VLAN2 *does* need access to the Internet (for updates etc)
Thanks
Nick
Thanks
Nick
In that case. This is what you need to do:
interface fastethernet0
switchport mode access
switchport access vlan 1
interface fastethernet1
switchport mode access
switchport access vlan 2
access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any
access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip any any
arg, if you want VLAN 2 to have access to the internet as well, use these rules:
interface fastethernet0
switchport mode access
switchport access vlan 1
interface fastethernet1
switchport mode access
switchport access vlan 2
access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any
access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 permit ip any any
hi nkewney,
does ur requirement " I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only. " is still valid ?
does ur requirement " I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only. " is still valid ?
ASKER
Hi anoopkmr,
This is still valid, although I wouldn't mind if users from 192... had access to port 80 on any host within 172 :)
Thanks both for your patience and help.
Nick
This is still valid, although I wouldn't mind if users from 192... had access to port 80 on any host within 172 :)
Thanks both for your patience and help.
Nick
With port 80 access on the 172.16.16.0/24 network:
interface fastethernet0
switchport mode access
switchport access vlan 1
interface fastethernet1
switchport mode access
switchport access vlan 2
no access-list 122
access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any
no access-list 133
access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 permit ip any any
Looks like I can't copy and paste to save myself.. here it is this time...
interface fastethernet0
switchport mode access
switchport access vlan 1
interface fastethernet1
switchport mode access
switchport access vlan 2
access-list 122 permit tcp 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any
access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 permit ip any any
so so late here, this is the last one that meets all of your "current requirements"
interface fastethernet0
switchport mode access
switchport access vlan 1
interface fastethernet1
switchport mode access
switchport access vlan 2
no access-list 122
access-list 122 permit tcp 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any
no access-list 133
access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 permit ip any any
ASKER
Thanks again for this. I appreciate it's late.
This is what my FastEthernet configuration looks like after issuing those commands on the CLI:
Is this correct? It isn't showing the switchport modes.
Nick
This is what my FastEthernet configuration looks like after issuing those commands on the CLI:
Is this correct? It isn't showing the switchport modes.
Nick
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
It is correct, switchport access vlan 1 is default commanf, whinch is not showing config!
Sh run all will give you default configuration also.
Yes, that configuration is correct. by default all ports are access mode in vlan1. Generally you would not utilise VLAN 1. I would generally start numbering VLAN's at 2.
Open in new window