Trouble getting 2nd VLAN to connect to internet
Experts,
I have the following config (see below) running on my Cisco 1811 router. When I connect a pc to Fe1-Fe8 with a 10.10.10.0 network address then I am able to fully connect to the internet. However, when I connect a pc to Fe9 with a 10.10.20.0 address I am not able to connect to the internet.
When I have PC's plugged into Fe2, Fe3, Fe4 and Fe9 and then issue a "show ip int brief" command on the router it returns this:
Interface IP-Address OK? Method Status Protocol
FastEthernet0 223.103.5.175 YES NVRAM up up
FastEthernet1 unassigned YES NVRAM administratively down down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES unset up up
FastEthernet5 unassigned YES unset up down
FastEthernet6 unassigned YES unset up down
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up up
Dot11Radio0 unassigned YES NVRAM administratively down down
Dot11Radio1 unassigned YES NVRAM administratively down down
Vlan1 10.10.10.1 YES NVRAM up up
Async1 unassigned YES NVRAM down down
NVI0 223.103.5.175 YES unset up up
Vlan2 10.10.20.1 YES NVRAM up down
The 3 computerss connected to Fe2-Fe4 are able to get online and ping their gateway (10.10.10.1), but the pc on Fe9 cannot get internet access and cannot ping it's gateway (10.10.20.1) although windows shows it to be connected.
What do I need to change in my configuration to allow VLAN 2 (10.10.20.0) to get up and working?
I have the following config (see below) running on my Cisco 1811 router. When I connect a pc to Fe1-Fe8 with a 10.10.10.0 network address then I am able to fully connect to the internet. However, when I connect a pc to Fe9 with a 10.10.20.0 address I am not able to connect to the internet.
When I have PC's plugged into Fe2, Fe3, Fe4 and Fe9 and then issue a "show ip int brief" command on the router it returns this:
Interface IP-Address OK? Method Status Protocol
FastEthernet0 223.103.5.175 YES NVRAM up up
FastEthernet1 unassigned YES NVRAM administratively down down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES unset up up
FastEthernet5 unassigned YES unset up down
FastEthernet6 unassigned YES unset up down
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up up
Dot11Radio0 unassigned YES NVRAM administratively down down
Dot11Radio1 unassigned YES NVRAM administratively down down
Vlan1 10.10.10.1 YES NVRAM up up
Async1 unassigned YES NVRAM down down
NVI0 223.103.5.175 YES unset up up
Vlan2 10.10.20.1 YES NVRAM up down
The 3 computerss connected to Fe2-Fe4 are able to get online and ping their gateway (10.10.10.1), but the pc on Fe9 cannot get internet access and cannot ping it's gateway (10.10.20.1) although windows shows it to be connected.
What do I need to change in my configuration to allow VLAN 2 (10.10.20.0) to get up and working?
!
version 12.4
no service config
no service timestamps debug datetime msec
no service timestamps log datetime msec
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone PCTime -5
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1
!
!
ip cef
ip domain name xxxxxx
ip name-server 68.94.156.1
ip name-server 68.94.157.1
no ipv6 cef
!
multilink bundle-name authenticated
!
username xxxxx privilege 15 password xxxxx
!
!
archive
log config
hidekeys
!
!
interface FastEthernet0
description $xxxxx Gateway$
ip address 223.103.5.175 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
switchport access vlan 1
!
interface FastEthernet3
switchport access vlan 1
!
interface FastEthernet4
switchport access vlan 1
!
interface FastEthernet5
switchport access vlan 1
!
interface FastEthernet6
switchport access vlan 1
!
interface FastEthernet7
switchport access vlan 1
!
interface FastEthernet8
switchport access vlan 1
!
interface FastEthernet9
switchport access vlan 2
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Vlan1
description $xxxxx Network Block$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
description $xxxxx Network Block$
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
no ip route-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 223.103.5.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
!
!
control-plane
!
!
banner login ^
---------------------------------------------------------
Only xxxxx Employee's may access this device.
If you are NOT an authorized user, disconnect now!!!
---------------------------------------------------------
^
!
!
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
password xxxxx
login
!
no process cpu extended
no process cpu autoprofile hog
end
ASKER
No. Fe9 is the one and only interface that I have setup for VLAN 2, and a pc hooked up to it cannot ping 10.10.20.1.
I've tried changing the config around too, making Fe9 a VLAN 1 interface and putting one of the other interfaces like Fe4 on VLAN 2. When I do this, Fe9 works just perfect onVLAN 1, and then Fe4 can't do anything ping it's gateway or get internet access.
I've tried changing the config around too, making Fe9 a VLAN 1 interface and putting one of the other interfaces like Fe4 on VLAN 2. When I do this, Fe9 works just perfect onVLAN 1, and then Fe4 can't do anything ping it's gateway or get internet access.
Try changing lines 121 and 122:
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.20.0 0.0.0.255
ACL's should increment and usually start with 10 and go up by 10 each time.
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.20.0 0.0.0.255
ACL's should increment and usually start with 10 and go up by 10 each time.
ASKER
So if I changed this:
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
to this:
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.20.0 0.0.0.255
would I need to change this:
ip nat inside source list 1 interface FastEthernet0 overload
to this:
ip nat inside source list 10 interface FastEthernet0 overload
ip nat inside source list 20 interface FastEthernet0 overload
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
to this:
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.20.0 0.0.0.255
would I need to change this:
ip nat inside source list 1 interface FastEthernet0 overload
to this:
ip nat inside source list 10 interface FastEthernet0 overload
ip nat inside source list 20 interface FastEthernet0 overload
Since you are allowing all 10.10.10.x and all 10.10.20.x addresses you could do it the lazy way and create one access list:
access-list 10 permit 10.10.0.0 0.0.255.255
ip nat inside source list 10 interface FastEthernet0 overload
However this will will permit all address from 10.10.0.1 to 10.10.255.255 and would then rely on security in other areas
You could get more restrictive with the third octet but not to the point of eliminating the addresses 10.10.11.0 through 10.10.19.255 still leaving a large hole.
So basically speaking I would say yes you need both nat's that you have listed.
access-list 10 permit 10.10.0.0 0.0.255.255
ip nat inside source list 10 interface FastEthernet0 overload
However this will will permit all address from 10.10.0.1 to 10.10.255.255 and would then rely on security in other areas
You could get more restrictive with the third octet but not to the point of eliminating the addresses 10.10.11.0 through 10.10.19.255 still leaving a large hole.
So basically speaking I would say yes you need both nat's that you have listed.
ASKER
ok, changed the access-lists to look like this:
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.20.0 0.0.0.255
and changed my nat to look like this:
ip nat inside source list 10 interface FastEthernet0 overload
ip nat inside source list 20 interface FastEthernet0 overload
VLAN 2 still shows it's protocol as down, and no pc plugged into a port assigned to VLAN 2 can ping the IP address assign to VLAN 2.
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.20.0 0.0.0.255
and changed my nat to look like this:
ip nat inside source list 10 interface FastEthernet0 overload
ip nat inside source list 20 interface FastEthernet0 overload
VLAN 2 still shows it's protocol as down, and no pc plugged into a port assigned to VLAN 2 can ping the IP address assign to VLAN 2.
Sounds like your platform is one of those that only allow 1 VLAN.
Does the PC get a 10.10.20.x address when plugged into the VLAN2 port?
ASKER
I am manually assigning the pc's static IP addresses. I don't have dhcp setup on the router yet - and don't even know how at this point :-)
ASKER
Did some searching around. The Cisco 1811 that I have supports up to 8 VLANs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, did the following:
Router# vlan database
This threw a warning saying "It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN config mode.
Changed my cursor to Router(vlan)# not Router(vlan-data)#
Anyway, typed in "show"
Router(vlan)#show
and it displayed this:
VLAN ISL Id: 1
Name: default
Media Type: Ethernet
VLAN 802.10 Id: 100001
State: Operational
MTU: 1500
Translational Bridged VLAN: 1002
Translational Bridged VLAN: 1003
VLAN ISL Id: 1002
Name: fddi-default
Media Type: FDDI
VLAN 802.10 Id: 101002
State: Operational
MTU: 1500
Bridge Type: SRB
Translational Bridged VLAN: 1
Translational Bridged VLAN: 1003
VLAN ISL Id: 1003
Name: token-ring-default
Media Type: Token Ring
VLAN 802.10 Id: 101003
State: Operational
MTU: 1500
Bridge Type: SRB
Ring Number: 0
Bridge Number: 1
Parent VLAN: 1005
Maximum ARE Hop Count: 7
Maximum STE Hop Count: 7
Backup CRF Mode: Disabled
Translational Bridged VLAN: 1
Translational Bridged VLAN: 1002
VLAN ISL Id: 1004
Name: fddinet-default
Media Type: FDDI Net
VLAN 802.10 Id: 101004
State: Operational
MTU: 1500
Bridge Type: SRB
Bridge Number: 1
STP Type: IBM
VLAN ISL Id: 1005
Name: trnet-default
Media Type: Token Ring Net
VLAN 802.10 Id: 101005
State: Operational
MTU: 1500
Bridge Type: SRB
Bridge Number: 1
STP Type: IBM
Can't really decipher what this is telling me. How else should I verify is VLAN 2 is actually created?
Router# vlan database
This threw a warning saying "It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN config mode.
Changed my cursor to Router(vlan)# not Router(vlan-data)#
Anyway, typed in "show"
Router(vlan)#show
and it displayed this:
VLAN ISL Id: 1
Name: default
Media Type: Ethernet
VLAN 802.10 Id: 100001
State: Operational
MTU: 1500
Translational Bridged VLAN: 1002
Translational Bridged VLAN: 1003
VLAN ISL Id: 1002
Name: fddi-default
Media Type: FDDI
VLAN 802.10 Id: 101002
State: Operational
MTU: 1500
Bridge Type: SRB
Translational Bridged VLAN: 1
Translational Bridged VLAN: 1003
VLAN ISL Id: 1003
Name: token-ring-default
Media Type: Token Ring
VLAN 802.10 Id: 101003
State: Operational
MTU: 1500
Bridge Type: SRB
Ring Number: 0
Bridge Number: 1
Parent VLAN: 1005
Maximum ARE Hop Count: 7
Maximum STE Hop Count: 7
Backup CRF Mode: Disabled
Translational Bridged VLAN: 1
Translational Bridged VLAN: 1002
VLAN ISL Id: 1004
Name: fddinet-default
Media Type: FDDI Net
VLAN 802.10 Id: 101004
State: Operational
MTU: 1500
Bridge Type: SRB
Bridge Number: 1
STP Type: IBM
VLAN ISL Id: 1005
Name: trnet-default
Media Type: Token Ring Net
VLAN 802.10 Id: 101005
State: Operational
MTU: 1500
Bridge Type: SRB
Bridge Number: 1
STP Type: IBM
Can't really decipher what this is telling me. How else should I verify is VLAN 2 is actually created?
ASKER
Pulled up some more stuff on the router.
Router#show vlan-switch
VLAN Name Status Ports
---- --------------------------
1 default active Fa2, Fa3, Fa4, Fa5, Fa6, Fa7, Fa8
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Then typed in
Router#show vlans
and the response was "No Virtual LANs configured."
What have I done wrong? I have VLAN 2 in my config file. Even doing a "show run" shows it....
Router#show vlan-switch
VLAN Name Status Ports
---- --------------------------
1 default active Fa2, Fa3, Fa4, Fa5, Fa6, Fa7, Fa8
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Then typed in
Router#show vlans
and the response was "No Virtual LANs configured."
What have I done wrong? I have VLAN 2 in my config file. Even doing a "show run" shows it....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Been pulling my hair out all day on this one. Added vlan to the database, and now it works, thanks for the hellp.
I bow to Don on this one. VLAN2 does not exist and needs to be created.
Simply kissing my ring will suffice. ;-)
I recall something about a limit of 1 functional VLAN on some routers.