Solved

Configuring VLANs on a Cisco 877 router

Posted on 2010-08-15
20
676 Views
Last Modified: 2012-05-10
Dear Experts,

I'm relatively new to Cisco gear and have set up a router config below:

I've created two Vlans (Vlan1 and Vlan 2)

I'd like to keep them completely seperate, i.e. Vlan 1 is only accessible to the switch plugged into FastEthernet0 and Vlan 2 is only accessible to the switch plugged into FastEthernet1.

However, I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only.

If anybody could give me any advice on this config, I'd really appreciate it!

Thanks

Nick
CISCO877#sh run

Building configuration...



Current configuration : 5973 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CISCO877

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3641892774

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3641892774

 revocation-check none

 rsakeypair TP-self-signed-3641892774

!

!

dot11 syslog

ip cef

!

!

ip domain name XXX

ip name-server XXX

!

!

!

username admin privilege 15 secret 5 xxx

!

!

archive

 log config

  hidekeys

!

!

!

bridge irb

!

!

interface ATM0

 description BT ADSL connection

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.1 point-to-point

 description $ES_WAN$

 pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

 no ip address

 shutdown

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 station-role root

!

interface Vlan1

 description $ETH-DATA-NETWORK$

 ip address 192.168.16.1 255.255.255.0

 ip access-group 122 in

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

!

interface Vlan2

 description $ETH-VOICE-NETWORK$

 ip address 172.16.16.1 255.255.255.0

 ip access-group 133 in

 ip nat inside

 ip virtual-reassembly

!

interface Dialer0

 ip address negotiated

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer idle-timeout 0

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname XXX@hg23.btclick.com

 ppp chap password 0 XXXXXX

 ppp pap sent-username XXX8@hg23.btclick.com password 0 XXXXXX

 ppp ipcp dns request

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip flow-top-talkers

 top 5

 sort-by bytes

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

ip access-list extended NAT

 permit ip 192.168.16.0 0.0.0.255 any

!

access-list 1 permit 192.168.16.0 0.0.0.255

access-list 122 permit ip 192.168.16.0 0.0.0.255 any

access-list 133 permit ip 172.16.16.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

Open in new window

0
Comment
Question by:nkewney
  • 10
  • 5
  • 3
  • +2
20 Comments
 
LVL 4

Expert Comment

by:Valutus
Comment Utility
Remove your existing access list 122 and replace it with this one:




access-list 122 permit tcp 192.168.16.0 0.0.0.255 eq 80 172.16.16.200
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

Open in new window

0
 
LVL 1

Author Comment

by:nkewney
Comment Utility
That's great - thanks.

I don't have to assign the VLANs to particular FastEthernet ports in the config?

Thanks

Nick
0
 
LVL 4

Accepted Solution

by:
Valutus earned 250 total points
Comment Utility
If they are connected to non VLAN capable switches then yes.  
Here is how you set the ports to access mode.  

config t
interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 250 total points
Comment Utility

if the above comments are not working for you then try

1) interface FastEthernet1
switch-port access vlan 2

2)
192.168.16.0/24 to access 172.16.16.200 on port 80  and deny others
no access-list 122 permit ip 192.168.16.0 0.0.0.255 any
   no access-list 133 permit ip 172.16.16.0 0.0.0.255 any

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

3)
host 172.16.16.200 to reply to 192.168.16.0/24 , and deny others
access-list 133 permit ip host 172.16.16.200 eq 80 192.168.16.0 0.0.0.255

int vlan 1
ip access-group 122 in
int vlan 2
ip access-group 133 in
 


 
0
 
LVL 4

Expert Comment

by:Valutus
Comment Utility
anoopkmr your suggestion is incorrect:  

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

If he enters those lines he will only be allowing port 80 though and all other traffic, regardless of the destination will be denied.  Remember IOS has a default deny.

0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility


 i think that is the requrement ,  

nkewney,
 u can avoid the line
   access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

     try my comments only the other solutions didn't work

0
 
LVL 4

Expert Comment

by:Valutus
Comment Utility
Since he also has NAT rules, would you not assume that he wants the hosts on both VLAN's to be able to send traffic out through the dialer0 interface? ;)
0
 
LVL 1

Author Comment

by:nkewney
Comment Utility
Thanks for your help both.

I'm a bit confused now.

I want the switch that's connected to VLAN1 (with hosts 192.168.16.0/24) to only be allowed through FastEthernet0

I want the switch that's connected to VLAN2 (with hosts 172.16.16.0/24) to only be allowed through FastEthernet1


I want the two networks to be completely seperate, with the exception of port 80 between the two networks.

Vlan2 does not need access to the Internet
Vlan1 does!

Hope this clears things up.

Thanks again for your help!

Nick
0
 
LVL 1

Author Comment

by:nkewney
Comment Utility
Actually, scratch that - VLAN2 *does* need access to the Internet (for updates etc)

Thanks

Nick
0
 
LVL 4

Expert Comment

by:Valutus
Comment Utility
In that case.  This is what you need to do:






interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80 
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip any any

Open in new window

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Expert Comment

by:Valutus
Comment Utility
arg,  if you want VLAN 2 to have access to the internet as well, use these rules:




interface fastethernet0

switchport mode access

switchport access vlan 1



interface fastethernet1

switchport mode access

switchport access vlan 2



access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80

access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 122 permit ip any any



access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80

access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 133 permit ip any any

Open in new window

0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
hi nkewney,

does ur requirement " I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only. "   is  still valid ?
0
 
LVL 1

Author Comment

by:nkewney
Comment Utility
Hi anoopkmr,

This is still valid, although I wouldn't mind if users from 192... had access to port 80 on any host within 172 :)

Thanks both for your patience and help.

Nick
0
 
LVL 4

Expert Comment

by:Valutus
Comment Utility
With port 80 access on the 172.16.16.0/24 network:



interface fastethernet0

switchport mode access

switchport access vlan 1



interface fastethernet1

switchport mode access

switchport access vlan 2



no access-list 122 

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80

access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 122 permit ip any any



no access-list 133

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80

access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 133 permit ip any any

Open in new window

0
 
LVL 4

Expert Comment

by:Valutus
Comment Utility
Looks like I can't copy and paste to save myself.. here it is this time...



interface fastethernet0

switchport mode access

switchport access vlan 1



interface fastethernet1

switchport mode access

switchport access vlan 2



access-list 122 permit tcp 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255 eq 80

access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 122 permit ip any any



access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80

access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 133 permit ip any any

Open in new window

0
 
LVL 4

Expert Comment

by:Valutus
Comment Utility
so so late here, this is the last one that meets all of your "current requirements"



interface fastethernet0

switchport mode access

switchport access vlan 1



interface fastethernet1

switchport mode access

switchport access vlan 2



no access-list 122 

access-list 122 permit tcp 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255 eq 80

access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 122 permit ip any any



no access-list 133

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80

access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 133 permit ip any any

Open in new window

0
 
LVL 1

Author Comment

by:nkewney
Comment Utility
Thanks again for this.  I appreciate it's late.

This is what my FastEthernet configuration looks like after issuing those commands on the CLI:

Is this correct?  It isn't showing the switchport modes.

Nick
!

interface FastEthernet0

!

interface FastEthernet1

 switchport access vlan 2

!

interface FastEthernet2

!

interface FastEthernet3

!

Open in new window

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
It is correct,  switchport access vlan 1 is default commanf, whinch is not showing config!
0
 
LVL 9

Expert Comment

by:Donboo
Comment Utility
Sh run all will give you default configuration also.
0
 
LVL 4

Expert Comment

by:Valutus
Comment Utility
Yes, that configuration is correct.  by default all ports are access mode in vlan1.  Generally you would not utilise VLAN 1.  I would generally start numbering VLAN's at 2.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now