create 2 vlans on cisco 2621 2

[norryguy]

we are in the process of installing a wireless network within our conference and learning center. We want to have 1 vlan for guests and 1 for staff. I can do that with the aironet 1231's we have since it has vlan capabilities and filter to go with those vlans. thanks to another thread I created I was helped along by some of you and have now created two vlans on my 3com switches vlan 1 which will be the native one and vlan 2 the guest one. I am now trying to configure my router to let vlan 2 have internet access. my current router setup is that interface 0/0 is connected to internet feed and 0/1 is connected to our internal network. my current config is as follows. the internal interface does have 2 ip addresses on it. The 204.186 subnets on the internal and external interfaces are different. I am also getting rid of ipx, thus no ipx commands in the proposed config. also i am using the follow for nat

ip nat inside source list 5 interface FastEthernet0/0 overload

current config:
interface FastEthernet0/0
description external network
ip address 204.186.x.x 255.255.255.252
ip access-group 120 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
speed 100
half-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description internal network
ip address 204.186.x.x 255.255.255.0 secondary
ip address 10.0.0.1 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 100
half-duplex
appletalk cable-range 1-10 9.176
appletalk zone ANNEX
appletalk zone FIRST FLOOR
appletalk zone SECOND FLOOR
appletalk zone itec center
appletalk zone third floor
ipx network 92C9F053 encapsulation 802.1Q vLAN
ipx type-20-propagation
no cdp enable
no mop enabled

proposed config:
inter f0/0 stays the same
interface FastEthernet0/1
no ip address

interface fastethernet 0/1.1
description internal network vlan id 1
encapsulation dot1q 1 native
ip address 204.186.x.x 255.255.255.0 secondary
ip address 10.0.0.1 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 100
half-duplex
appletalk cable-range 1-10 9.176
appletalk zone ANNEX
appletalk zone FIRST FLOOR
appletalk zone SECOND FLOOR
appletalk zone itec center
appletalk zone third floor
no cdp enable
no mop enabled

interface fastethernet 0/1.2
description internal network vlan id 2
encapsulation dot1q 2
ip address 192.168.3.1 255.255.255.0
no ip redirects
ip nat inside

is this close?

thanks for your help

 

[bell1996]

Yes, your propose config looks ok. Got a question: since you're using VLAN's now, why do you have a secondary IP address on sub-interface fa0/1.1?? Why not just create a third VLAN for the secondary IP address space. This would be my recommendation.

 

[norryguy]

3rd vlan? never thought of it. that would be cleaner. I'm guessing I could put access-lists on each of the sub interfaces in I wanted to?

thanks

 

[pmesjar]

Yeap, just make sure you put it on proper subinterface and not directly to interface or your acl will not work.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[norryguy]

I tried my proposed config tonight and the commands took with no errors, but i was unable to get outside the native vlan that I created on interf 0/1.1 I could ping it from workstations but that was it. I intially tried it with the secondary ip on the first virtual interface, but then took it of so that the 10.0.0.1 was the only ip on it.

I have the "iP/IPX/AppleTalk/DECnet" Feature Pack. but when I did a search on google I found a reference that said to route vlans I need "ip plus". Can you tell if this is right?

the config for vlans doesn't seems that hard so either I have something strange going on my network or perhaps I'm missing this feature pack.

 

[bell1996]

I'm sure you checked this, but is routing enabled?
Is there a routing protocol configured? Not that it's needed in this case, just wondering? Can you post your config. Also, do a "sho arp", you should see the IP addresses and MAC's of all the devices on the LAN for FA0/1.1 and FA0/1.2. Do the PC's have the correct default gateway?

 

[norryguy]

I think routing is enabled. I mean the command ip routing. I don't have to re-enable it after I create the sub interfaces do I? The pcs should have the right gateways 10.0.0.1 or 204.186.x.x. here is my entire config minus the access-list 120. it around 5 pages long.

Using 27604 out of 29688 bytes
!
version 12.1
service nagle
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service pt-vty-logging
!
hostname csiu
!
logging buffered 16000 informational
aaa new-model
aaa authentication fail-message ^C
Authentication Failed
^C
aaa authentication password-prompt Password:
aaa authentication username-prompt Login:
aaa authentication login default local
enable secret 5 $1$kr7.$9zcSvjROhTaNbQKA5vOCI0
enable password 7 094F41021C
!
username eric password 7 06051C705903081D081E1C
username keithp password 7 00571D0054490855
username ptdncc password 7 105D011C12031F58
username david password 7 03570258535E
!
!
!
!
clock timezone EST -5
clock summer-time EDT recurring
no ip subnet-zero
no ip source-route
no ip finger
ip domain-name main.csiu.org
no ip dhcp conflict logging
!
no ip bootp server
appletalk routing
ipx routing 0002.b930.59c0
!
!
!
interface FastEthernet0/0
description external CSIU WAN network
ip address 204.186.x.x 255.255.255.252 note-different subnet than on f0/1
ip access-group 120 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
speed 100
half-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description internal CSIU network
ip address 204.186.x.x 255.255.255.0 secondary
ip address 10.0.0.1 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed 100
half-duplex
appletalk cable-range 1-10 9.176
appletalk zone ANNEX
appletalk zone FIRST FLOOR
appletalk zone SECOND FLOOR
appletalk zone itec center
appletalk zone third floor
ipx network 92C9F053 encapsulation 802.1Q vLAN
ipx type-20-propagation
no cdp enable
no mop enabled
!
ip nat translation timeout 7200
ip nat translation tcp-timeout 3600
ip nat translation max-entries 2000
ip nat inside source list 5 interface FastEthernet0/0 overload
ip nat inside source static 10.0.5.87 204.186.x.x
ip nat inside source static udp 10.0.8.30 5632 204.186.x.x 5632 extendable
ip nat inside source static udp 10.0.8.29 5632 204.186.x.x 5632 extendable
ip nat inside source static tcp 10.0.8.30 5631 204.186.x.x 5631 extendable
ip nat inside source static tcp 10.0.8.29 5631 204.186.x.x 5631 extendable
ip nat inside source static tcp 10.0.8.88 4899 204.186.x.x 4899 extendable
ip nat inside source static 10.0.9.21 204.186.x.x
ip nat inside source static 10.0.5.5 204.186.x.x
ip nat inside source static tcp 10.0.7.202 14238 204.186.x.x 14238 extendable
ip nat inside source static udp 10.0.7.202 14237 204.186.x.x 14237 extendable
ip nat inside source static 10.0.0.53 204.186.159.53
ip classless
ip route 0.0.0.0 0.0.0.0 204.186.238.157
ip route 204.186.x.x 255.255.255.0 Null0
no ip http server
!
logging trap debugging
logging 10.0.10.57
access-list 1 permit 204.186.238.157
access-list 1 permit 204.186.98.0 0.0.1.255
access-list 1 permit 204.186.134.0 0.0.0.255
access-list 1 permit 204.186.63.0 0.0.0.63
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 204.186.159.0 0.0.0.255
access-list 5 permit 10.0.0.0 0.255.255.255
access-list 115 permit ip 10.0.0.0 0.255.255.255 any

access-list 121 permit ip 0.0.0.160 255.255.255.7 host 204.186.159.244
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
no cdp run
no appletalk checksum
appletalk ignore-verify-errors
!
!
!
banner motd ^C
THIS SYSTEM IS FOR THE USE OF AUTHORIZED USERS ONLY.

Individuals using this computer system without authority, or in
excess of their authority, are subject to having all of their
activities on this system monitored and recorded by system
personnel. UNAUTHORIZED access to this system will be tracked
and logged. IF YOU HAVE ACCESSED THIS SYSTEM WITHOUT PROPER
AUTHORITY - DISCONNECT NOW.

In the course of monitoring individuals improperly using this
system, or in the course of system maintenance, the activities
of authorized users may also be monitored.

Anyone using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the
evidence of such monitoring to law enforcement officials.
^C
!
line con 0
exec-timeout 5 30
timeout login response 10
transport input none
line aux 0
no exec
exec-timeout 0 1
transport output none
line vty 0 4
access-class 1 in
exec-timeout 5 30
timeout login response 10
password 7 094E4F1B17000E
transport preferred none
transport input pad v120 telnet rlogin udptn mop
!
no scheduler allocate
end

thanks