Cisco 871 inter-VLAN routing 2

[rootn5th]

Hi,

I hope someone can help me with a Cisco router problem. Essentially I think I need to route between VLANS but I will expand...

I have a Cisco 871 router with advanced IP services. I specfically chose this router becasue of the multiple VLANS available and need to do the following:

I have two subnets - 192.168.1.0/24 and 192.168.2.0/24. Each network has its own internet gateway - 192.168.1.254 and 192.168.2.254 respectively.

What I want to achieve is:

1. Each subnet to be able to use their respective gateway, and only that gateway.

2. The subnets to be able to 'see' each other and access resources on the other subnet.

3. Restrictions to be put in place to prevent certain protocols and IP addresses accessing resources on the other subnet - access-lists essentially.


What I have achieved so far is for the ports on the router to be able to pass traffic like a switch to the same subnet, and also to route out to one gateway. Ideally it would seem that I need to be able to set a gateway per subnet but can't find a way of doing this.

The snippet of config below allows the ports on VLAN 10 to communicate, and the same for VLAN 20. How can I route between these subnets?


interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 20
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
!
interface Vlan20
ip address 192.168.2.1 255.255.255.0


I've been fiddling for many hours but can't find a way to get it all working.

Thanks,
Sam.

 

[unclerico]

you need to configure one of the ethernet ports as a trunk port. I don't have an 871 sitting in front of me, but it should look something like this:

Router(config)# int f1
Router(config-if)# switchport mode trunk
Router(config-if)# switchport nonegotiate

If you want to restrict the VLANs allowed on the trunk then add this:

Router(config-if)# switchport trunk allowed vlan 10,20

Be sure that you have the uplink from the switch configured correctly also.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ADB100]

You don't need to do anything else to get the router to route between these networks. I think your problem lies with the fact that the default gateways for the clients in each VLAN isn't the 871. You state that each network has it's own Internet gateway (192.168.1.254 & 192.168.2.254), however the addresses on the 871 are both '.1' so I assume the 871 isn't their default-gateway? To get this to work you would either have to have static routes on the workstations or set up some routing between the existing 'Internet Gateways' and the 871.

Andy

 

[burtsbees]

Uncle---the 871 has built-in switchports---the config he posted is from the router.

Sam---you simply make the ip address of vlan 10 192.168.1.254 and vlan 20 192.168.2.254. Do you want them reaching the internet in a different way?

Burt

 

[unclerico]

lol...i'm outta here :-D ...see what happens when you try and post when you can't even see straight?? s'ok...

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[rootn5th]

Thanks for all the replies - I'll bear them all in mind.

I don't think I explained myself that clearly so soory for confusion.

The gateway routers are seperate devices that I have no control over. They have fixed IP addresses and all I can do is send traffic to them. I want the Cisco 871 to sit between the two subnets and the two gateway routers.

Can I have seperate routing tables for each VLAN? Can I do this with Access-lists?

 

[Minue]

Hello
You can take a lot at VRF-lite .But you would need also a layer 3 switch for the VLAN's It's the closest to getting seperate routing tables.
Regards

 

[ADB100]

As I have already said the problem you are having is the hosts default gateways are NOT the 871 so if they want to send packets outside of their local network they will send them to their default-gateway. The default-gateway (what you have no control over) doesn't know you have a local router for these networks so will just forward the packets to their default next-hop (or more likely drop them as they are RFC1918 addresses).
If you have no control over these other gateways then the only thing you can do is add static routes on the hosts. Hosts on the network 192.168.1.0/24 would need a static route for network 192.168.2.0/24 via gateway 192.168.1.1. Then reverse it for hosts on network 192.168.2.0/24. If its Windows clients then via a command prompt you can do this

route add 192.168.2.0 mask 255.255.255.0 192.168.1.1

If you add '-p' to the end of the command the route is permanent and entered into the registry.

This is messy though and I don't like adding routes to hosts as they tend to get forgotten about and cause more problems later on. You could add the route commands to login scripts which would be better, but still not ideal. Get control over the internet gateways is the best option.

Andy

 

[rootn5th]

Thanks.
Right, I've just about got something working but I can see that not having access to the gateway routers is going to be an issue. I set up a testbed with RIP and that worked well but have found out that RIP is not configured on the gateways I will be using. What I have so far is:

bridge irb
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 20
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
ip route-cache policy
ip policy route-map school
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan20
no ip address
ip route-cache policy
ip policy route-map school
bridge-group 2
bridge-group 2 spanning-disabled
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
!
interface BVI2
ip address 192.168.2.1 255.255.255.0
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
route-map school permit 10
match ip address 1
set ip next-hop 192.168.1.254
!
route-map school permit 20
match ip address 2
set ip next-hop 192.168.2.254
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip


Clients are set with their default gateway as .1 on their respective networks.


Everything works well apart from the access to the internet becasue the gateway routers son't know how to get back to the Cisco 871. Guess I'll just have t0 figure out a way around it. I'm hoping to get some more info on the gateways I'll be using to see if I can mould my Cisco around them.

Cheers,
Sam.

 

[ADB100]

You also have some redundant configuration in there as well....

bridge irb
!
interface Vlan10
 no ip address
 ip route-cache policy
 ip policy route-map school
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan20
 no ip address
 ip route-cache policy
 ip policy route-map school
 bridge-group 2
 bridge-group 2 spanning-disabled
!
interface BVI1
 ip address 192.168.1.1 255.255.255.0
!
interface BVI2
 ip address 192.168.2.1 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip

There is no need to have the BVI's or bridging configuration, you can apply the IP addresses directly on the SVI's

interface Vlan10
 no ip address
 ip route-cache policy
 ip policy route-map school
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan20
 no ip address
 ip route-cache policy
 ip policy route-map school
 ip address 192.168.2.1 255.255.255.0

I have no idea why you put the bridging configuration in there?

Andy

 

[DallasBPF]

If you need each network to go out to each specific .254... Why not have each network use ip address of lets say 192.168.10.x and 192.168.20.x. Then take the 192.168.10.x and do a static route to the 192.168.1.254? and then do the same for the 20.x with a static route to the 192.168.2.254...

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[rootn5th]

Lack of experience and knowledge and trying a million different configs to get it working. I've made the ammendments you've suggested and it does at it did before. Thanks.

However, after further testing, I have found that I can get the darned 871 to do either one thing or the other (it would have been like this before I changed it.)

1. Route between subnets quite happily but not disperse traffic to the correct gateway.

or

2. Route traffic to the correct gateway (using route-maps) but not route between subnets.

I can see why scenario 2 is not is happening - because all traffic is being matched in the ACL and being sent on its merry way to the gateway regardless of whether it is destined for a local address or not.

I need the 871 to:

1. Check the source IP of the traffic to see where it is from (route-maps seem to do this) so it can disperse to the correct place.

and

2. Check the destination of the traffic after checking the source and distribute to the correct gateway.

I feel I am close to getting this working in a basic form but can't get around this problem.

Thanks all for the advice here!
Sam.

 

[burtsbees]

Post a sh ver and let's see if it can do PBR.

Burt

 

[rootn5th]

I've been playing around with extended access-lists to see if I can deny certain traffic from getting routed out based on its destination. No luck yet but still trying. Here's the sh ver:

Router#sh ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 14-Aug-08 07:43 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Router uptime is 7 hours, 57 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk9-mz.124-15.T7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 871 (MPC8272) processor (revision 0x300) with 118784K/12288K bytes of memory.
Processor board ID FHK125222HK
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
28672K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

 

[burtsbees]

I believe this is what you want...

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html#wp4826

Looks like that image will do it.

Burt

 

[rootn5th]

I think I'm there!
Basic config below. Please forgive the rough edges and the chunky looking access-lists.

All suggestions helped, and the link from Burt was useful but I think I was onto that already. I think the key was using extended access-lists to manipulate traffic a bit more subtly than the standards.

Not sure if it will actually work in the field, but the reason I always go to Cisco is that it seems that even if it shouldn't work, there is a way to force the brute into doing what you want

Cheers,
Sam.


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 192.168.1.254
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 20
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip route-cache policy
ip policy route-map school
!
interface Vlan20
ip address 192.168.2.1 255.255.255.0
ip route-cache policy
ip policy route-map school
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 Vlan10
ip route 192.168.2.0 255.255.255.0 Vlan20
!
!
no ip http server
no ip http secure-server
!
ip access-list extended routing1
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended routing2
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
route-map school permit 10
match ip address routing1
set ip next-hop 192.168.1.254
!
route-map school permit 20
match ip address routing2
set ip next-hop 192.168.2.254
!
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

 

[burtsbees]

Oh yeah...just noticed that...lol

Burt