Solved

Configuring VLANs on a Cisco 877 router

Posted on 2010-08-15
20
677 Views
Last Modified: 2012-05-10
Dear Experts,

I'm relatively new to Cisco gear and have set up a router config below:

I've created two Vlans (Vlan1 and Vlan 2)

I'd like to keep them completely seperate, i.e. Vlan 1 is only accessible to the switch plugged into FastEthernet0 and Vlan 2 is only accessible to the switch plugged into FastEthernet1.

However, I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only.

If anybody could give me any advice on this config, I'd really appreciate it!

Thanks

Nick
CISCO877#sh run

Building configuration...



Current configuration : 5973 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CISCO877

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3641892774

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3641892774

 revocation-check none

 rsakeypair TP-self-signed-3641892774

!

!

dot11 syslog

ip cef

!

!

ip domain name XXX

ip name-server XXX

!

!

!

username admin privilege 15 secret 5 xxx

!

!

archive

 log config

  hidekeys

!

!

!

bridge irb

!

!

interface ATM0

 description BT ADSL connection

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.1 point-to-point

 description $ES_WAN$

 pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

 no ip address

 shutdown

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 station-role root

!

interface Vlan1

 description $ETH-DATA-NETWORK$

 ip address 192.168.16.1 255.255.255.0

 ip access-group 122 in

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

!

interface Vlan2

 description $ETH-VOICE-NETWORK$

 ip address 172.16.16.1 255.255.255.0

 ip access-group 133 in

 ip nat inside

 ip virtual-reassembly

!

interface Dialer0

 ip address negotiated

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer idle-timeout 0

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname XXX@hg23.btclick.com

 ppp chap password 0 XXXXXX

 ppp pap sent-username XXX8@hg23.btclick.com password 0 XXXXXX

 ppp ipcp dns request

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip flow-top-talkers

 top 5

 sort-by bytes

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

ip access-list extended NAT

 permit ip 192.168.16.0 0.0.0.255 any

!

access-list 1 permit 192.168.16.0 0.0.0.255

access-list 122 permit ip 192.168.16.0 0.0.0.255 any

access-list 133 permit ip 172.16.16.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

Open in new window

0
Comment
Question by:nkewney
  • 10
  • 5
  • 3
  • +2
20 Comments
 
LVL 4

Expert Comment

by:Valutus
ID: 33440276
Remove your existing access list 122 and replace it with this one:




access-list 122 permit tcp 192.168.16.0 0.0.0.255 eq 80 172.16.16.200
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

Open in new window

0
 
LVL 1

Author Comment

by:nkewney
ID: 33440320
That's great - thanks.

I don't have to assign the VLANs to particular FastEthernet ports in the config?

Thanks

Nick
0
 
LVL 4

Accepted Solution

by:
Valutus earned 250 total points
ID: 33440337
If they are connected to non VLAN capable switches then yes.  
Here is how you set the ports to access mode.  

config t
interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
ID: 33440348

if the above comments are not working for you then try

1) interface FastEthernet1
switch-port access vlan 2

2)
192.168.16.0/24 to access 172.16.16.200 on port 80  and deny others
no access-list 122 permit ip 192.168.16.0 0.0.0.255 any
   no access-list 133 permit ip 172.16.16.0 0.0.0.255 any

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

3)
host 172.16.16.200 to reply to 192.168.16.0/24 , and deny others
access-list 133 permit ip host 172.16.16.200 eq 80 192.168.16.0 0.0.0.255

int vlan 1
ip access-group 122 in
int vlan 2
ip access-group 133 in
 


 
0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440357
anoopkmr your suggestion is incorrect:  

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

If he enters those lines he will only be allowing port 80 though and all other traffic, regardless of the destination will be denied.  Remember IOS has a default deny.

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33440389


 i think that is the requrement ,  

nkewney,
 u can avoid the line
   access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

     try my comments only the other solutions didn't work

0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440402
Since he also has NAT rules, would you not assume that he wants the hosts on both VLAN's to be able to send traffic out through the dialer0 interface? ;)
0
 
LVL 1

Author Comment

by:nkewney
ID: 33440435
Thanks for your help both.

I'm a bit confused now.

I want the switch that's connected to VLAN1 (with hosts 192.168.16.0/24) to only be allowed through FastEthernet0

I want the switch that's connected to VLAN2 (with hosts 172.16.16.0/24) to only be allowed through FastEthernet1


I want the two networks to be completely seperate, with the exception of port 80 between the two networks.

Vlan2 does not need access to the Internet
Vlan1 does!

Hope this clears things up.

Thanks again for your help!

Nick
0
 
LVL 1

Author Comment

by:nkewney
ID: 33440437
Actually, scratch that - VLAN2 *does* need access to the Internet (for updates etc)

Thanks

Nick
0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440475
In that case.  This is what you need to do:






interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80 
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip any any

Open in new window

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:Valutus
ID: 33440483
arg,  if you want VLAN 2 to have access to the internet as well, use these rules:




interface fastethernet0

switchport mode access

switchport access vlan 1



interface fastethernet1

switchport mode access

switchport access vlan 2



access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80

access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 122 permit ip any any



access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80

access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 133 permit ip any any

Open in new window

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33440502
hi nkewney,

does ur requirement " I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only. "   is  still valid ?
0
 
LVL 1

Author Comment

by:nkewney
ID: 33440508
Hi anoopkmr,

This is still valid, although I wouldn't mind if users from 192... had access to port 80 on any host within 172 :)

Thanks both for your patience and help.

Nick
0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440525
With port 80 access on the 172.16.16.0/24 network:



interface fastethernet0

switchport mode access

switchport access vlan 1



interface fastethernet1

switchport mode access

switchport access vlan 2



no access-list 122 

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80

access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 122 permit ip any any



no access-list 133

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80

access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 133 permit ip any any

Open in new window

0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440528
Looks like I can't copy and paste to save myself.. here it is this time...



interface fastethernet0

switchport mode access

switchport access vlan 1



interface fastethernet1

switchport mode access

switchport access vlan 2



access-list 122 permit tcp 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255 eq 80

access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 122 permit ip any any



access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80

access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 133 permit ip any any

Open in new window

0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440529
so so late here, this is the last one that meets all of your "current requirements"



interface fastethernet0

switchport mode access

switchport access vlan 1



interface fastethernet1

switchport mode access

switchport access vlan 2



no access-list 122 

access-list 122 permit tcp 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255 eq 80

access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 122 permit ip any any



no access-list 133

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80

access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 133 permit ip any any

Open in new window

0
 
LVL 1

Author Comment

by:nkewney
ID: 33440576
Thanks again for this.  I appreciate it's late.

This is what my FastEthernet configuration looks like after issuing those commands on the CLI:

Is this correct?  It isn't showing the switchport modes.

Nick
!

interface FastEthernet0

!

interface FastEthernet1

 switchport access vlan 2

!

interface FastEthernet2

!

interface FastEthernet3

!

Open in new window

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33440726
It is correct,  switchport access vlan 1 is default commanf, whinch is not showing config!
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33441809
Sh run all will give you default configuration also.
0
 
LVL 4

Expert Comment

by:Valutus
ID: 33442482
Yes, that configuration is correct.  by default all ports are access mode in vlan1.  Generally you would not utilise VLAN 1.  I would generally start numbering VLAN's at 2.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now