VLANS

[gregworcester]

Hi Guys,

I have a bit of a problem with vlans. Experimenting with them
here at home to see how they work. I am working with cisco
equipment, A 2621 router, a 2950 switch, a 2900 swith. I have
created 4 vlans as subs on the 2621 on the fa0/1 interface.
I put one of my printers in the .10 vlan, it is on port 4
of the 2900. Put the port in the vlan with the appropiate
switchport commands and I am able to print. This is ok. I then
put one of my pc's in vlan 20. Put its port in vlan 20. Re-booted the
PC and it picked up a 192.168.20.2 address from the scopes i added
on the 2621. From the PC i can ping any where and from all the cisco
stuff i can ping the pc. On the PC i cant ping outside to the internet
and do not have any connectivity at all.
The FA0/1 on the router is trunked to port 12 on the 2950.
The 2950 is the VTP server, the 2900 is a client.
The vlans are propagating.
All seems to work ok, except the no connectivity when i put a
machine in a vlan.
IP routing is enabled on the 2621.
On the sub-interfaces i do have a IP helper statement.

Cisco config are as follows.

2621 router

Current configuration : 7939 bytes
!
! Last configuration change at 22:24:00 EST Wed Dec 9 2009 by gregw
! NVRAM config last updated at 11:18:56 EST Wed Dec 9 2009 by gregw
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname WP2621
!
boot-start-marker
boot-end-marker
!
logging rate-limit all 10
no logging console
enable secret 5 $1$kuy8$ed/RH1eDfnUjeUeVNX3be.
enable password 7 105D0C170216
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no ip source-route
ip cef
!
!
ip inspect name email pop3
ip inspect name smtp smtp
ip inspect name

http://www http

ip inspect name cu cuseeme
ip inspect name ftp ftp
ip inspect name dns dns
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.2 192.168.0.101
ip dhcp excluded-address 192.168.0.249 192.168.0.254
!
ip dhcp pool whitepine
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101
!
ip dhcp pool Vlan10
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
ip dhcp pool Vlan20
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
ip dhcp pool Vlan30
import all
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
!
ip dhcp pool Vlan40
import all
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
!
!
no ip bootp server
ip domain name whitepine.local
ip name-server 69.24.0.2
ip name-server 69.24.8.2
ip ssh rsa keypair-name WP2621.whitepine.local
ip ssh version 2
!

interface ATM0/0
mac-address 0007.eb78.10c0
bandwidth 3000
no ip address
no ip redirects
no ip unreachables
no atm ilmi-keepalive
atm ilmi-pvc-discovery
dsl operating-mode auto
dsl enable-training-log
!
interface ATM0/0.35 point-to-point
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
ip accounting output-packets
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
ip address dhcp
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
ntp disable
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.0.101 255.255.255.0
ip access-group 105 in
ip access-group 101 out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1.10
description Printers
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group 105 in
ip access-group 101 out
no cdp enable
!
interface FastEthernet0/1.20
description PC
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group 105 in
ip access-group 101 out
ip helper-address 192.168.20.1
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1.30
description Mac
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip access-group 105 in
ip access-group 101 out
no cdp enable
!
interface FastEthernet0/1.40
description Observatory
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip access-group 105 in
ip access-group 101 out
no cdp enable
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface ATM0/0.35 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp any any eq pop3 log-input
access-list 101 permit tcp any any eq smtp log-input
access-list 101 permit tcp any any eq

http://www log-input

access-list 101 permit tcp any any eq ftp log-input
access-list 101 permit udp any any eq tftp log-input
access-list 101 permit udp any eq domain any log-input
access-list 101 permit tcp any any established log-input
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any log-input
access-list 101 permit tcp 192.168.20.0 0.0.0.255 any log-input
access-list 101 permit tcp 192.168.30.0 0.0.0.255 any log-input
access-list 101 permit tcp 192.168.40.0 0.0.0.255 any log-input
access-list 101 permit tcp 192.168.10.0 0.0.0.255 any log-input
access-list 105 deny ip host 216.92.217.52 any log-input
access-list 105 deny ip host 207.251.97.35 any log-input
access-list 105 deny ip host 174.132.93.148 any log-input
access-list 105 permit ip any any
no cdp run

privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 1 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show
!
line con 0
access-class 1 in
exec-timeout 5 0
password 7 060B0639584719150C0F
line aux 0
exec-timeout 0 1
password 7 00091A1E10521B0A0639
no exec
line vty 0 3
access-class 1 in
exec-timeout 5 0
password 7 00091A1E10521B0A0639
transport input ssh
line vty 4
access-class 1 in
exec-timeout 5 0
password 7 03095213120631404711
transport input ssh
line vty 5 15
password 7 12140C0F06021C082333
!
ntp clock-period 17180484
ntp source FastEthernet0/0
ntp master
ntp max-associations 20
ntp server 64.247.17.253
ntp server 67.106.77.184
ntp server 198.200.182.10
ntp server 66.70.29.130



2950 switch

Current configuration : 4552 bytes
!
! No configuration change since last restart
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname WP2950
!
aaa new-model
aaa authentication login default local
enable secret 5 $1$W3s4$y7rUzYTg5Q/IzfdgFkN2S0
enable password 7 141615050917
!
ip subnet-zero
no ip source-route
!
vtp interface fa0/1
cluster enable Whitepine 0
cluster member 1 mac-address 00b0.642c.d880
!
cluster order 0,1
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
switchport mode trunk
duplex full
!
interface FastEthernet0/2
duplex full
!
interface FastEthernet0/3
duplex full
!
interface FastEthernet0/4
duplex full
!
interface FastEthernet0/5
duplex full
!
interface FastEthernet0/6
duplex full
!
interface FastEthernet0/7
duplex full
!
interface FastEthernet0/8
duplex full
!
interface FastEthernet0/9
duplex full
!
interface FastEthernet0/10
duplex full
!
interface FastEthernet0/11
duplex full
!
interface FastEthernet0/12
switchport mode trunk
duplex full
!
interface Vlan1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
no ip route-cache
shutdown
!
ip default-gateway 192.168.0.101
no ip http server
!
ip access-list extended CMP-NAT-ACL
dynamic Cluster-HSRP deny ip any any
dynamic Cluster-NAT permit ip any any
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run

!
line con 0
access-class 1 in
exec-timeout 5 0
password 7 060B0639584719150C0F
line vty 0 4
access-class 1 in
exec-timeout 5 0
password 7 03095213120631404711
transport input telnet
line vty 5 15
password 7 060B0639584719150C0F
!
ntp clock-period 17179904
ntp peer 192.168.0.10



2900 switch

Current configuration:

!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname WP2900
!
aaa new-model
aaa authentication login default local
enable secret 5 $1$W3s4$y7rUzYTg5Q/IzfdgFkN2S0

ip subnet-zero
no ip source-route
no ip finger
ip domain-name whitepine
!
cluster commander-address 000a.4136.3600 member 1 name Whitepine
!
!
interface FastEthernet0/1
duplex full
switchport trunk encapsulation dot1q
switchport mode trunk
no cdp enable
!
interface FastEthernet0/2
duplex full
no cdp enable
!
interface FastEthernet0/3
duplex full
no cdp enable
!
interface FastEthernet0/4
duplex full
switchport access vlan 10
no cdp enable
!
interface FastEthernet0/5
duplex full
no cdp enable
!
interface FastEthernet0/6
duplex full
no cdp enable
!
interface FastEthernet0/7
duplex full
no cdp enable
!
interface FastEthernet0/8
duplex full
no cdp enable
!
interface FastEthernet0/9
duplex full
no cdp enable
!
interface FastEthernet0/10
duplex full
switchport access vlan 20
no cdp enable
!
interface FastEthernet0/11
duplex full
no cdp enable
!
interface FastEthernet0/12
duplex full
no cdp enable
!
interface FastEthernet0/13
duplex full
no cdp enable
!
interface FastEthernet0/14
duplex full
no cdp enable
!
interface FastEthernet0/15
duplex full
no cdp enable
!
interface FastEthernet0/16
duplex full
no cdp enable
!
interface FastEthernet0/17
duplex full
no cdp enable
!
interface FastEthernet0/18
duplex full
no cdp enable
!
interface FastEthernet0/19
duplex full
no cdp enable
!
interface FastEthernet0/20
duplex full
no cdp enable
!
interface FastEthernet0/21
duplex full
no cdp enable
!
interface FastEthernet0/22
duplex full
no cdp enable
!
interface FastEthernet0/23
duplex full
no cdp enable
!
interface FastEthernet0/24
duplex full
no cdp enable
!
interface VLAN1
ip address 192.168.0.3 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
ip default-gateway 192.168.0.101
no ip http server
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run

!
line con 0
access-class 1 in
exec-timeout 5 0
password 7 082C45561D10151B1B13
transport input none
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 5 0
password 7 13081E0A1F051426223C
transport input telnet
line vty 5 15
password 7 060B0639584719150C0F
!
ntp clock-period 22518162
ntp peer 192.168.0.101
end

 

[VinceWhirlwind]

I think the main thing is your lack of a default route pointing at the internet on your router.

Normally, the f0/1 on the router should have "no ip address" on it. The IP addresses are on the subinterfaces.

Might be good to enable CDP on the 2900 & the router.

Also, even though they are shutdown, get rid of the duplicate IP addresses on the 2950 VLAN interfaces.

It would be very helpful to have "Description" on the interfaces "link to 2621" etc....

And while you are troubleshooting, get rid of access-lists, etc...

 

[unclerico]

1) Remove the ip configuration from the f0/1 on the router and put it into a subinterface also
2) I do not see from the configuration that any ports are members of any vlan besides vlan1


I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[VinceWhirlwind]

Unclerico, your point 2) - that's what I thought too, but there two of them (one in each VLAN) and they are hard to spot!

 

[burtsbees]

Also, this

access-list 1 permit 192.168.0.0 0.0.0.255

needs to be this

access-list 1 permit 192.168.0.0 0.0.255.255

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

good catch vince!!!

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

I'm Burt...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

haha i know you are burt, the great burt of camelot. i said good job to vince because he caught my proofreading mistake. good job burt!!!

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

lol

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[gregworcester]

Hi Guys.

Thanks for all the responses. I have dumped the vlans for the moment and i am trying to get my network communicating with my default gateway configured on a sub of FA0/1. As suggested by unclerico. If I can get this working, then i will play with vlans. Below is config i added to router, could ping the router from PC but nothing to the internet.
It should work though, all i have done is transfer everything to a sub-interface.
I did add the vlan101 and put the pc port into it.

ip dhcp pool vlan 101
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101

interface FastEthernet0/1.10
description Gateway
encapsulation dot1Q 10
ip nat inside
ip address 192.168.0.1 255.255.255.0

Any ideas. i can post more config info later if needed.

 

[gregworcester]

That fastethernet is wrong in my previous post. It is
Fa0/1.101 on the router.

 

[gregworcester]

OMG. the encapsulation is pointing to 101. Sorry

 

[unclerico]

Unless I'm missing something you need a default route on your router. I have been known to be blind from time to time though.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[gregworcester]

I do it is

ip route 216.107.224.0 255.255.255.254 192.168.0.0

 

[StaplesMan]

Normaly a default route would be...

ip route 0.0.0.0 0.0.0.0 x.x.x.x

x.x.x.x default gateway that your ISP has given you. Or your next hop router.


I did notice your Fa0/0 interface is dhcp. On my routers that use dhcp from my recall I don't need to set a default route at all because the dhcp will automatically assign it.

Verify your default route by using the following command:

show ip route

you should get something like this:

Gateway of last resort is 208.159.5.2 to network 0.0.0.0

C 208.159.5.0/24 is directly connected, FastEthernet0
S* 0.0.0.0/0 [254/0] via 208.159.5.2



CCNA, A+, HP Certified Professional

 

[gregworcester]

Hi guys, thanks for the help. Figured it out, and the vlans.

 

[burtsbees]

What did you do? Please post the final config for others to see...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[gregworcester]

Hi guys

Sorry about that. Did not mean to be short. Here is my final config. Added
encapsulation dot1Q 101 native to the .101 sub-interface seemed to do the trick.
Here is the config. Any additional suggestions would be welcome.


ip dhcp pool whitepine
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101
!
ip dhcp pool Vlan170
import all
network 192.170.0.0 255.255.255.0
default-router 192.170.0.1

interface FastEthernet0/1
no ip address
ip access-group 105 in
ip access-group 101 out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
interface FastEthernet0/1.101
description Gateway
encapsulation dot1Q 101 native
ip address 192.168.0.101 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.170
description Printer subnet
encapsulation dot1Q 170
ip address 192.170.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 192.168.0.0 255.255.255.0 216.107.224.0
ip route 192.170.0.0 255.255.255.0 216.170.224.0


WP2621#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 216.107.224.1 to network 0.0.0.0

C 192.170.0.0/24 is directly connected, FastEthernet0/1.170
C 192.168.0.0/24 is directly connected, FastEthernet0/1.101
S* 0.0.0.0/0 [254/0] via 216.107.224.1
C 216.107.224.0/23 is directly connected, ATM0/0.35
WP2621#

 

[VinceWhirlwind]

!
interface FastEthernet0/1.101
description Gateway
encapsulation dot1Q 101 native
!
interface FastEthernet0/1.170
description Printer subnet
encapsulation dot1Q 170
!

It isn't immediately obvious why you would want such an inconsistant configuration.

What happened to "PC", "MAC", "OBSERVATORIES" VLANs?
What is this "GATEWAY" VLAN, is it your WAN link? (I had assumed your WAN link was one of the other router interfaces).

If so, I think I see what you've got - you have created a VLAN mismatch to bridge VLAN 101 on the router with VLAN1 on the switch? If so, then perhaps the problem you needed to solve was to make your WAN link an Access port on VLAN 101.

 

[gregworcester]

Hi Vince, thanks for the feedback. Tex-tips (burtsbees) mostly help me setup this router. It is a 2621 with a ADSL WIC card in it. The two Fastethernet configs my ISP sent to me. The way i understand it, the fa0/0 is doing DHCP to grab the IP of the ISP from the ATM sub-interface, my FA0/1 is my internal network, but to get the vlans working I could not have an Ip on it. Hence the need for putting it on a sub. It works ok. I am not sure what you mean by :

you have created a VLAN mismatch to bridge VLAN 101 on the router with VLAN1 on the switch? If so, then perhaps the problem you needed to solve was to make your WAN link an Access port on VLAN 101. (How would I do this?)

Am I missing something here?
Is there a better way to do it?

I got rid of all the VLANS for the time being except for the printer subnet which isnt going to fly anyway as my wife has macs running OSX (Tiger) and it has a problem seeing encapsulation of the .1q variety and they cant see the printers.
Here is the relevent portion of the config.

interface ATM0/0
mac-address 0007.eb78.10c0
bandwidth 3000
no ip address
no ip redirects
no ip unreachables
no atm ilmi-keepalive
atm ilmi-pvc-discovery
dsl operating-mode auto
dsl enable-training-log
!
interface ATM0/0.35 point-to-point
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
ip accounting output-packets
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
ip address dhcp
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
ntp disable
no cdp enable
!
interface FastEthernet0/1
no ip address
ip access-group 105 in
ip access-group 101 out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
interface FastEthernet0/1.101
description Gateway
encapsulation dot1Q 101 native
ip address 192.168.0.101 255.255.255.0
ip nat inside
ip virtual-reassembly