Basic Vlans

[elimin]

Hi all,

I am trying to do something very simple, I have a cisco router running ios 12.4 with two vlans attatched to two of the physical interfaces.

! ---- Local Interface Configuration
!
interface FastEthernet0
no shutdown
switchport mode access
switchport access vlan 1
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
no shutdown
switchport mode access
switchport access vlan 2
!

! ---- VLAN Configuration
!
interface Vlan1
ip address 192.168.8.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1350
no ip mroute-cache
!
!
interface Vlan2
ip address 192.168.9.1 255.255.255.0
ip nat outside
ip access-group 101 in
!
!
access-list 101 permit ip 192.168.8.0 0.0.0.255 any

With this configuration the router can access all hosts on each network, however the situation I am trying to achieve is to have all the hosts on the 192.168.8.0/24 network to be able to contact the hosts on the 192.168.9.0/24 network.

Currently the hosts on 192.168.8.0/24 can contact 192.168.9.1 (the router) but not the hosts connected to that interface.

As a connected interface the route to 192.168.9.0/24 via Vlan2 appears in the routing table. I have also tried using nat in the following manner

ip nat inside source list 1 interface Vlan2 overload

I'm sure this is a trivial task in IOS and I apologise for the newibie question. Any guidance is much appreciated.

Thank you.

 

[VinceWhirlwind]

post us a copy of a "show ip route" off the router and a "ipconfig" off a host from each of the networks.

 

[elimin]

Thank you VinceWhirlwind,

My problem was that the device I was trying to contact in the .9.0/24 subnet did not have a route set that would allow it to return packets to the 8.0/24 subnet. After defining a route to 192.168.8.0/24 via 192.168.9.1 in the device it works as expected.

Once again thank you for your help solving my problem, here is the information you asked for anyway.

ip routes from router:

220.233.1.0/32 is subnetted, 1 subnets
C 220.233.1.193 is directly connected, Dialer1
220.233.186.0/32 is subnetted, 1 subnets
C 220.233.186.157 is directly connected, Dialer1
C 192.168.8.0/24 is directly connected, Vlan1
C 192.168.9.0/24 is directly connected, Vlan2
S* 0.0.0.0/0 is directly connected, Dialer1


interface information for a host on vlan1:

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.8.30 netmask 0xffffff00 broadcast 192.168.8.255
ether 00:23:6c:83:89:91
media: autoselect status: active
supported media: autoselect


interface information for a host on vlan2:

pix> ip address inside 192.168.9.2 255.255.255.0

 

[burtsbees]

Is this even a layer 3 switch???

Routes do not matter with router on a stick, as all interfaces (logical, subinterfaces) are directly connected to eachother...

If this is a layer 2 switch, you can only hae one active SVI, and it will not route (just define the management interface). You also need ip default-gateway in the same subnet as this management vlan...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[VinceWhirlwind]

The reason for a "show ip route" is to demonstrate to him the two routes the router should be showing in relation to these two subnets, which should then be matched by the subnet configuration on the devices on the other side of each of the router's interfaces.

"Router on a stick" does not apply here as each subnet is physically connected to a different interface.

 

[burtsbees]

ip routes from router:"

Why is a router even brought into play?

I'll bet the user is trying this in a layer 2 switch...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[kbing]

even though you have this working I'm confused as to why you need an access-list and nat going outside on the vlan2 interface. Seems like you are trying to prevent access in reverse? If you want two way access - your configuration is too complicated. Get rid of the ACL and change nat outside to nat inside.

Seems your routing between vlans and forcing the router to perform ACL checks on the traffic which makes the router work harder than necessary.

Just a thought.

 

[elimin]

thanks for the advice kbing.

just to clarify this configuration was just part of an exercise to create a pretend wan between an 800 running ISO12.4 and a PIX running 6.3 to facilitate creating an ipsec tunnel to bridge the 'local' interfaces of each device.

the exercise was purely academic and not representative of any production environment.

that said the responses have been immensely helpful. thank you.

 

[VinceWhirlwind]

Burtsbees: I wondered the same thing - but the interface names show it isn't any switch I'm familiar with: "interface FastEthernet0"