Cisco 887VA VLANS

Hi Guys,

I have a Cisco 887VA Router configured for my BT Infinity connection and it is working flawlessly at the moment. However I am now wanting to remove my RRAS box and have all my VLANs configured on the router. This is where I need your help :)

I have attached my running config as well as the vlan-switch config at present. Ideally what I want to do is have 4 vlans with the following IP address

192.168.1.254 - FE0 (already in place)
192.168.2.254 - FE1
192.168.3.254 - FE2
192.168.4.254 - FE3

I think I will also need to set up IPHelpers as my DHCP Server sits on 192.168.1.1

I'm a Cisco noob and had help getting to where I am today and need a little more assistance to get that little bit further :)

I appreciate any assistance you guys can provide.

Thanks
Run-Config.txt
vlan-switch.txt
Amarjot SinghAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
What you have described is this scenario (it is OK if you have L2 switch(s) attached to Cisco 887VA)
interface FastEthernet0
 switchport mode access
 no ip address
!
interface FastEthernet1
switchport mode access
switchport access vlan 2
 no ip address
!
interface FastEthernet2
switchport mode access
switchport access vlan 3
 no ip address
!
interface FastEthernet3
switchport mode access
switchport access vlan 4
 no ip address
!
interface Vlan1
 description **VLAN 1 INTERFACE**
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 description **VLAN 2 INTERFACE**
 ip address 192.168.2.254 255.255.255.0
 ip address-helper 192.168.1.x
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan3
 description **VLAN 3 INTERFACE**
 ip address 192.168.3.254 255.255.255.0
 ip address-helper 192.168.1.x
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan4
 description **VLAN 4 INTERFACE**
 ip address 192.168.4.254 255.255.255.0
 ip address-helper 192.168.1.x
 ip nat inside
 ip virtual-reassembly in

Open in new window


192.168.1.x - is address of DHCP server in VLAN 1 (I understood that router will not be DHCP server)
Problem with that scenario is that are you gonna have 4 links from that Cisco router to switch(s), or you will have just one link created as trunk?
If you have L3 switch attached to Cisco 887VA I guess that better solution is to have trunk link (and different configuration on this router - inter vlan communication should be then configured on L3 switch).
If you have L2 switch downstream from router I guess it is better to have 4 links to that switch, because if you create trunk link it will be bottleneck for inter vlan traffic.
0
Amarjot SinghAuthor Commented:
Hi Predrag,

Thank you for your prompt response - I really appreciate your assistance.

Unfortunately I only have L2 switches downstream (2 x GS724T) so I think this setup will be the best given what you have said.

Secondly, I am very much a n00b when it comes to Cisco and the only experience I had was nearly 10 years ago and I have forgotten most things! Are you able to walk me through the commands required to get this configuration in place?

Also - by having the 4 links exit the router, will IPHelpers still be required? and will inter-vlan communication be possible? Ideally I'd like to have them all separated with the option to open ports between vlans (if you are able to help with that also, I would be extremely grateful).
0
JustInCaseCommented:
Whole configuration is already given in previous post. That's it.
Port Fa1 does not need # switchport access vlan 1 - simply because it is already in vlan 1 by default.
 :)
You just need to create VLANs on downstream switches and connect each VLAN with matching port on router's switch interface.

All inter VLAN communication will go through router and will be possible.
If router is not DHCP server ip address-helper will be required, if router is DHCP server ip address-helper is not necessary.

To deny inter vlan communication you will need to create access lists and apply it to the SVI's.

access-list 100 deny   ip any 172.16.0.0 0.15.255.255
access-list 100 deny   ip any 10.0.0.0 0.255.255.255
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any

interface vlan 1
ip access-group 100 in

Open in new window

This ACL will deny all traffic exiting VLAN to any private address space. Traffic that you want to permit should be on the top of those access-group statements.
Example:
access-list 100 permit tcp any host 192.168.4.15 eq www
access-list 100 deny   ip any 172.16.0.0 0.15.255.255
access-list 100 deny   ip any 10.0.0.0 0.255.255.255
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any

interface vlan 1
ip access-group 100 in

Open in new window

This will permit only traffic to port 80 on host 192.168.4.15 and internet traffic, all other inter vlan traffic is denied for all hosts residing in vlan 1.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Amarjot SinghAuthor Commented:
I just sent up the VLAN configuration - it worked a charm. Thank you so much for that!
The only thing that didn't work was the ip address-helper command. It doesn't appear to recognise this command - am I doing something wrong?

I've not tried the access-lists yet as I want to get one thing working at a time :)

Thanks again
0
JustInCaseCommented:
Yes, you do wrong, but that's my fault.
 :)
I gave you wrong command, it should be:
# ip helper-address
0
Amarjot SinghAuthor Commented:
Perfect - it worked this time :) Thanks!

I'm going to try the access lists shortly - A few questions before I begin:

What is SVI?

The following:

access-list 100 permit tcp any host 192.168.4.15 eq www
access-list 100 deny   ip any 172.16.0.0 0.15.255.255
access-list 100 deny   ip any 10.0.0.0 0.255.255.255
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any

interface vlan 1
ip access-group 100 in

Open in new window


Am I right to believe that I can use this same access group for all vlans?
If I add it to VLAN 1 - only VLAN 1 will talk to VLAN 1 but not 2, 3 and 4
and If I add it to VLAN 2 - only VLAN 2 will talk to VLAN 2 but not 1, 3 and 4 etc etc
Or do I need to create a group for each individual VLAN?

Also you mentioned, adding the ports required to the top line - I've attached a spreadsheet of ports for AD - how would I add these? As I noticed you added "eq www" for port 80.

and lastly, I've setup port forwarding for a number of ports for external access (see below for example) - will these continue to function?

ip nat inside source static tcp 192.168.1.x 443 interface Dialer1 443

Open in new window

Connectivity-Matrix-TEMPLATE.xlsx
0
JustInCaseCommented:
What is SVI?
SVI - Switch Virtual Interface (interface VLAN X)
Am I right to believe that I can use this same access group for all vlans?  
Maybe, that depends on what you are trying to accomplish.
That one that I gave you will be OK for all VLANs (since source address is any) as long as there is no special cases...
If there are special cases you can go two paths
- you can create one ACL as general rule for all VLANs and apply it to interface in IN direction, and some specific rules to apply it in OUT direction (# ip access-group 101 out)
-or create ACL specifically for one or more VLANs

you can add port 80 but switch will convert it in config to www
all ports from spreadsheet needs to be permited before denying inter VLAN traffic.

ip nat inside source static tcp 192.168.1.x 443 interface Dialer1 443
is OK
If you will have more port forwarding probably there will be needed suffix extendable at the end of every port forwarding command, but router will warn you about that (and add it itself, if I remember correctly). And since you have 2 DCs I guess you will need it :)
0
Amarjot SinghAuthor Commented:
Sorry for the delay in updating! I just wanted to say thank you so much - I managed to get it all set up :)

I will be posting another question around DMZ - I hope to hear from you again :)

Thanks
0
Amarjot SinghAuthor Commented:
Fantastic help - Thank you so much!
0
JustInCaseCommented:
You are welcome.
:)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.