Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Configuring VLANs on a Cisco 877 router

Posted on 2010-08-15
20
Medium Priority
?
689 Views
Last Modified: 2012-05-10
Dear Experts,

I'm relatively new to Cisco gear and have set up a router config below:

I've created two Vlans (Vlan1 and Vlan 2)

I'd like to keep them completely seperate, i.e. Vlan 1 is only accessible to the switch plugged into FastEthernet0 and Vlan 2 is only accessible to the switch plugged into FastEthernet1.

However, I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only.

If anybody could give me any advice on this config, I'd really appreciate it!

Thanks

Nick
CISCO877#sh run
Building configuration...

Current configuration : 5973 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO877
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3641892774
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3641892774
 revocation-check none
 rsakeypair TP-self-signed-3641892774
!
!
dot11 syslog
ip cef
!
!
ip domain name XXX
ip name-server XXX
!
!
!
username admin privilege 15 secret 5 xxx
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 description BT ADSL connection
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 description $ETH-DATA-NETWORK$
 ip address 192.168.16.1 255.255.255.0
 ip access-group 122 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 description $ETH-VOICE-NETWORK$
 ip address 172.16.16.1 255.255.255.0
 ip access-group 133 in
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname XXX@hg23.btclick.com
 ppp chap password 0 XXXXXX
 ppp pap sent-username XXX8@hg23.btclick.com password 0 XXXXXX
 ppp ipcp dns request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip flow-top-talkers
 top 5
 sort-by bytes
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended NAT
 permit ip 192.168.16.0 0.0.0.255 any
!
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 122 permit ip 192.168.16.0 0.0.0.255 any
access-list 133 permit ip 172.16.16.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

Open in new window

0
Comment
Question by:nkewney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 3
  • +2
20 Comments
 
LVL 4

Expert Comment

by:Valutus
ID: 33440276
Remove your existing access list 122 and replace it with this one:




access-list 122 permit tcp 192.168.16.0 0.0.0.255 eq 80 172.16.16.200
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

Open in new window

0
 
LVL 1

Author Comment

by:nkewney
ID: 33440320
That's great - thanks.

I don't have to assign the VLANs to particular FastEthernet ports in the config?

Thanks

Nick
0
 
LVL 4

Accepted Solution

by:
Valutus earned 1000 total points
ID: 33440337
If they are connected to non VLAN capable switches then yes.  
Here is how you set the ports to access mode.  

config t
interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 1000 total points
ID: 33440348

if the above comments are not working for you then try

1) interface FastEthernet1
switch-port access vlan 2

2)
192.168.16.0/24 to access 172.16.16.200 on port 80  and deny others
no access-list 122 permit ip 192.168.16.0 0.0.0.255 any
   no access-list 133 permit ip 172.16.16.0 0.0.0.255 any

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

3)
host 172.16.16.200 to reply to 192.168.16.0/24 , and deny others
access-list 133 permit ip host 172.16.16.200 eq 80 192.168.16.0 0.0.0.255

int vlan 1
ip access-group 122 in
int vlan 2
ip access-group 133 in
 


 
0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440357
anoopkmr your suggestion is incorrect:  

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

If he enters those lines he will only be allowing port 80 though and all other traffic, regardless of the destination will be denied.  Remember IOS has a default deny.

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33440389


 i think that is the requrement ,  

nkewney,
 u can avoid the line
   access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.15.0 0.0.0.255

     try my comments only the other solutions didn't work

0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440402
Since he also has NAT rules, would you not assume that he wants the hosts on both VLAN's to be able to send traffic out through the dialer0 interface? ;)
0
 
LVL 1

Author Comment

by:nkewney
ID: 33440435
Thanks for your help both.

I'm a bit confused now.

I want the switch that's connected to VLAN1 (with hosts 192.168.16.0/24) to only be allowed through FastEthernet0

I want the switch that's connected to VLAN2 (with hosts 172.16.16.0/24) to only be allowed through FastEthernet1


I want the two networks to be completely seperate, with the exception of port 80 between the two networks.

Vlan2 does not need access to the Internet
Vlan1 does!

Hope this clears things up.

Thanks again for your help!

Nick
0
 
LVL 1

Author Comment

by:nkewney
ID: 33440437
Actually, scratch that - VLAN2 *does* need access to the Internet (for updates etc)

Thanks

Nick
0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440475
In that case.  This is what you need to do:






interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80 
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip any any

Open in new window

0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440483
arg,  if you want VLAN 2 to have access to the internet as well, use these rules:



interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2

access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 permit ip any any

Open in new window

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33440502
hi nkewney,

does ur requirement " I'd like to users on 192.168.16.0/24 to be able to access 172.16.16.200 port 80 only. "   is  still valid ?
0
 
LVL 1

Author Comment

by:nkewney
ID: 33440508
Hi anoopkmr,

This is still valid, although I wouldn't mind if users from 192... had access to port 80 on any host within 172 :)

Thanks both for your patience and help.

Nick
0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440525
With port 80 access on the 172.16.16.0/24 network:



interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2

no access-list 122 
access-list 122 permit tcp 192.168.16.0 0.0.0.255 host 172.16.16.200 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

no access-list 133
access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 permit ip any any

Open in new window

0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440528
Looks like I can't copy and paste to save myself.. here it is this time...



interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2

access-list 122 permit tcp 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 permit ip any any

Open in new window

0
 
LVL 4

Expert Comment

by:Valutus
ID: 33440529
so so late here, this is the last one that meets all of your "current requirements"



interface fastethernet0
switchport mode access
switchport access vlan 1

interface fastethernet1
switchport mode access
switchport access vlan 2

no access-list 122 
access-list 122 permit tcp 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255 eq 80
access-list 122 deny ip 192.168.16.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip any any

no access-list 133
access-list 133 permit tcp 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255 eq 80
access-list 133 deny ip 172.16.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 permit ip any any

Open in new window

0
 
LVL 1

Author Comment

by:nkewney
ID: 33440576
Thanks again for this.  I appreciate it's late.

This is what my FastEthernet configuration looks like after issuing those commands on the CLI:

Is this correct?  It isn't showing the switchport modes.

Nick
!
interface FastEthernet0
!
interface FastEthernet1
 switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!

Open in new window

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33440726
It is correct,  switchport access vlan 1 is default commanf, whinch is not showing config!
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33441809
Sh run all will give you default configuration also.
0
 
LVL 4

Expert Comment

by:Valutus
ID: 33442482
Yes, that configuration is correct.  by default all ports are access mode in vlan1.  Generally you would not utilise VLAN 1.  I would generally start numbering VLAN's at 2.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question