Cisco Switching/Routing :: 1921 Routing Access From Mixed IP Ranges Between VLANS
Jan 23, 2013
I have the following config using a Cisco 1921. I am trying to get devices on the the native VLAN to get internet access via the gateway x.x.x.73.Any thing being routed from the other Vlans 15/20/30 can get access, but nothing from an internal IP address. Is there something I am missing.
The Xs replace the same 3 octets for each interface.I am trying to route from VLANs 15/20/30 to see VLAN 5. I have tried a few things, in terms of adding extra ip routes, but can't get anything to work. Each of those Vlans have another router on the other side of them, which I have also tried adding ip routes too, but nothing. One of the routers (Vlan15 is a Draytek 2830). [code]
I have configured HSRP with InterVlan routing. All communication is flowing properly between the vlan's on Router A but when I test failover to Router B I cant ping ANYWHERE. I cannot ping any of the VLANS.
Also, From the primary router I cannot ping any of the interfaces on the secondary router.
I have 2 Cisco 1921 Routers configured for HSRP. Both the G0/1 ports plug into a Cisco 2960S 48 port POE switch (STACKED) (port 1 and port 2 which are trunked and allowing all vlans to pass through. And both of the G0/0 ports are plugged into a Cisco ASA5510.
I have attached a diagram of the setup and the interface configs of the routers.
I wanted to know about EHWIC 8-Port configuration? We create Data and Voice VLANs and assign 8 ports to the VLANs. So how do VLANS communicate with each other? We cannot make Gi0/1 as sub interfaces and assign the same subnet IP’s as of VLAN IP’s , it wont accept. On 1921 router Assume Gi0/0 we connect to MPLS WAN. What happens to Gi0/1 where do we connect this?
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
i cant resolve one problem in may 1921 isr router, i have a web server in my internal lan , i set up static nat for accessing that web server from outside and it woks fine but i cannot view that site from internal workstations can you suggest me what to do. as i know when request gets to router it performs static nat and sends packet to the web server, but the server responds with its private source address instead the public address witch workstation expects and connection cannot established.
We want to puchase new Cisco ISR 1921/K9 . i want to know does it support the following sample IP-SLA commands
ip sla 2icmp-echo 172.16.1.2timeout 500frequency 1ip sla schedule 2 life forever start-time now
track 10 rtr 1 reachability delay down 1 up 1 ! track 20 rtr 2 reachability delay down 1 up 1 ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20
Im asking above question because we will need to enable ip-sla on the mentioned router. as i read on the cisco webside, it says Cisco-ISR-1921/K9-IP Base support only IP-SLA RESPONDER feature nothing else. If Cisco-921/K9 does not support the above commands , should i go for ordering Cisco-1921-SEC/K9 ?
I feel like this has probably been asked a thousand times over, but it doesn't seem to work for me. TCP works fine. I can't find any definitive answers, I'm still a novice with the IOS.
The purpose behind opening the ranges of UDP ports to the interface and forwarding is because the people in question want to run a VOIP phone from their home, but they have a home grade Internet connection, so therefore no static IP. Also, they're not going to pay for a router to create a S2S VPN.
Also, from one of the remote sites for which there is a VPN ( the 192.168.6.X/24 site), the audio is only one way. The phone guy says "i need to open ports both way through the VPN), but I feel like that's already been done??
For my other site ( 192.168.15.0/24 ) I have an IPSEC over GRE tunnel going, I don't know about the status of the voice phone there..or if its even made it there
Here's my config...i'm redacting things like public IP's, VPN keys, and the like
#show run Building configuration...
Current configuration : 6525 bytes ! ! Last configuration change at 14:51:00 EST Wed Jan 2 2013 by ctouch ! NVRAM config last updated at 14:57:46 EST Wed Jan 2 2013 by ctouch [Code]...
i want to control access to internet on VLAN1 and VLAN2 (access on VLAN3), while providing access to VLAN4.My problem is in connecting to internet, i can't find a way to "route back traffic to VLANs 1 and 2 since HG8245 don't seem to provide proper static routing ON LAN interface. Maybe without resorting to changing the HG8245 router ?
I am trying to setup VLAN's in the company I work for and I am almost there but missing the part when the internet works.I have an SG300 as a L3 Router IP 192.168.0.93.I have created VLAN20 and VLAN40 Assigned VLAN20 192.168.2.1 and VLAN40 192.168.4.1
The static routes have been created and a default router going to the Sonicwall firewall at 192.168.0.1.Port 24 is configured as Untagged VLAN1, Untagged VLAN20 and VLAN40 in trunk mode and going to the Sonicwall NSA 2400. [code]
Working to move all 192.168.0.x network off of VLAN1 and move it a management switch.I have DHCP helper on pointing to the DHCP server.Both VLAN's once the DHCP server is configured to Gateway 192.168.0.93 can get an IP from the correct subnet either 192.168.2.x or 192.168.4.x
All PC's are getting a GW IP of 192.168.2.1 pr 192.168.4.1.All test PC's on both VLAN's can ping each other and any server with the correct GW.When I try to ping google.com or open a web page and try google.com it times out.
I have this cisco 4507 switch that I need to configure multiple ip ranges on. The problem is that I can only configure two ip ranges on it, one ip range on the management vlan and the other ip range on vlan 2. After I have configured these 2 vlans with different ip ranges, I can route between then and get them to talk to each other, but that is all I can do. If I add another vlan with a different IP range I cannot see it from the switch or get any of the otehr ip ranges to see it.
I am doing something dumb because this is a layer 4 device so it should be able to route the ip ranges. I have tried everything just cannot get it to work. I have assigned the IP range directly to the port number and directly to the vlans. Just wont work.
I have came across this topic, and I am wondering if this images can be uploaded to any 2900 series switches or not, and if this will work as access port for more than vlans. URL...
We have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can i resrict access to the server VLANs? Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered?
They have a locked Cisco Router which is from the ISP and its confed on a fa 0/0 interface to share Internet access on the network. The ip on that interface is 195.198.11.217 255.255.255.252 and i tried it with a PC (set my personal ip to .218 and entered their dns info (195.67.199.27) and it is working. The question is now. My friend found a 3550 laying around and since the ISP wont let them conf their router he wants to use the 3550 to create 2 vlans with internet access and without access to eachother. Vlan 10 for the desktops and Vlan 20 for the wireless (Moving on to some netgear wireless switches) How would you configure the 3550 for this to work?
i am trying to set up a cisco 2950 with a vlan to seperate all of the pos machines on the network (4 of them) from all other machnes in the building (3 hard wired and wi-fi). i was going to use vlan 1 as a trunk to allow internet access to go from fa0/1 to both vlans (vlan 10 and vlan 20). i have read things about the acl having an explicit deny at the end, so i'm thinking that is my problem. i am testing it at my house before deploying it to the network. i have 1 laptop setup with an ip of 192.168.0.50, and the other is .60. my router is 192.168.0.1. i have the ethernet from the router plugged into fa0/1, the 1st laptop on fa0/2 and the other at fa0/3. before i set the vlans up, i checked the communication by just plugging them in and trying to ping, they could both ping each other, the router and 8.8.8.8. when i finished setting up the test vlans, they could not ping each other(what i wanted) and laptop 1 can ping the router, and 8.8.8.8. laptop 2 cannot ping anything. the only thing i did was create vlan 10 and 20, set port fa0/2 to vlan 10 and no sh, fa03 to vlan 20 and no sh, fa0/1 to vlan 1 and no sh. then i did switchport mode trunk on fa0/1, and switchport native vlan 1. this seems to be how i was supposed to do it, but it's been a while since i have worked with switches. i'm sure it's simple, but after searching the internet and poring over my cisco books for 5 hours, it is turning out not to be the case. here are some details:
I have set up a scenario for a small business and have some questions about how to manage the access between the VLANs. Is there is a better / another way to do it. See the attached picture for the topology / info.
My question is: My switches is set up with x numbers of VLANs and a routed port (no switch port) to the ASA for internet connectivity. How is the best (or only??) way to manage the access between the VLANs? Is it ACL's on the switch?
And by "managing access" I mean VLAN 50 (public WiFi) only have access to the internet, only management servers have access to management VLAN, Client VLAN only have RDP access to server VLAN and so on. Is there any way to do this in the ASA (or add another (gigabit) router to the topology)) or it the only way to have lots of ACL's on the switch itself? I have thought about "router on a stick", but then I imagine there will be a bottleneck between the switch and the ASA?
(Equipment is 2 x 3650G, ASA5505, AP1252 - see attached file).
I have a small cisco switch cluster (seven different 2924, 3524cisco switches) with 3550 as a cluster control which does all the inter vlan routing that works fine.
This cluster is in semi production PBX interop testing lab. This is a closed network without internet access and not connected to our corporate network.However now I have to add this capability so some equipment in the lab can get Microsoft updates over the internet.
I've created a port on a 3550 (fa0/19) and connected it to another network that has internet access. It picked an ip address and when I'm logged in to the 3550 I can ping hosts on the outside network. However I can't ping any hosts on that network from any hosts that are connected to my vlans.I've tried a few different things, but still can't make it to work.
Here is a short version of my 3550 configuration:
! version 12.2 no service pad service timestamps debug uptime service timestamps log datetime no service password-encryption
I've got a 3750x stack set up as my core switch (only a small-ish environment) - I'm shortly going to be deploying an enterprise wireless network with Corporate and Guest SSID's. I'm going to be putting all traffic from the Guest SSID in VLAN 244, and don't want it to have access to any of the other VLANs (1 (Legacy Eqpt), 4, 8, 12, 16, 20, 24, 28, 32, 248 & 252).
IP ranges for all the main VLANs are:
1: 10.0.0.x/22 4: 10.0.4.x/22 8: 10.0.8.x/22 12: 10.0.12.x/22 16: 10.0.16.x/22 etc etc (you get the pattern)
I'll probably give Guest traffic (VLAN 248) the IP range 192.168.10.x/22 (not because I NEED that many addresses, but it's easier for everyone to remember/understand if I keep the subnet masks the same all round). However I also have a CCTV VLAN (252) which already has the range 192.168.0.x/24, which some people in other VLANs WILL need access to.
So my question is: What is the syntax for the ACL on my 3750x (IP base - 15.0.2) to prevent traffic from VLAN 244 gaining access to any of my other VLANs. I'm making a broad assumption here that a layer 3 switch is perfectly capable of supporting that function? I need ALL the syntax for setting up ACL's - I've never done it before
My gateway device by the way is 10.0.4.1, and I do have inter-VLAN routing set up on the core switch (obviously).
Running 12.2(53)SE2, IP base. Now I tried upgrading the firmware on the entire stack to 12.2(55)SE4 and ran into this error:(Command: archive download-sw /imageonly /overwrite /allow-feature-upgrade tftp://10.20.20.13/c3750e-universalk9-tar.122-55.SE4.tar)
Error: The image in the archive which would to used to upgade system number 2 does not support that system type.I haven't as yet removed the "3750G-24TS" switch from the stack and re-tried as yet, however, is the expectation that without the 24TS, the upgrade should work?
We have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can I restrict access to the server VLANs?Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered ?
I am not sure if what I am trying to accomplish is possible. On my internal network I have the following VLANs setup (102, 104, 106) and they map one to one to a subnet (ie: 102 = 192.168.102.0/23, 104 = 192.168.104.0/24, etc).All interVLAN routing is done on a 3560 via vlan SVI. Connected to the 3560 via a routed port is a ASA 5510. The routed port has IP 192.168.100.1 and the ASA interface on the other side of that routed port has IP 192.168.100.2. I use 802.1x on the wired network to assign users (based on their department) into a specific VLAN. I want to extend this concept to Remote VPN access. Therefore I setup multiple Group Policies (policy is applied based on an LDAP attribute) where each policy defines a different DHCP scope. This has successfully allowed me to login wtih different users who get assigned to different Group policies and they obtain the correct DHCP IP address from the internal DHCP server (ie: an engineering person logins remotely and gets an IP in 192.168.102.0 range). However the issue (and as I was planning this out I knew this would come up) is that traffic can be routed out from the VPN client to its destination but there is no return path.
We need to give differentiated internet access to three VLANs. Each one of this VLANs is used for totally different purposes, so traffic between the VLANs is not allowed. Each VLAN has its own internet access provided for the data center using one fast ethernet connection.
We're thinking about using cisco 2911 for Internet access, VPN and firewall. I suppose that best option for VLANs is using Catalyst 2960S or a swithing module for the 2911, but these two options are too expensive for us. We're thinking about using swtiches from the SB series (maybe a SG-200).
We're totaly newbies to VLANs so we have many doubts. This are our questions:
1) The 2911 has three on board ethernet interfaces; we have three VLANs and three internet connections, so we need to use HWICs to get three more ethernet ports. That's right? 2) We need three HWICs or there is some kind of HWIC with more that one ethernet interface? 3) The routing solution is to assign static routes in the 2911 for each interface connected to a VLAN through a 2911's interface connected to internet? 4) Simply connecting three different router interfaces with three different switch ports, each one of them assigned to one of the three different VLAN, are we going to get internet access for all devices in those VLANs? or do we need to configure something else like trunking, VSIs...? 5) Can we achieve our goals using the SG-200 switch? 6) We have the chance to use older routers, is this possible? We're specially interested in knowing if a 1841 or a 2801 router could be used for this setup. 7) This is not a production environment so we can use refurbished equipment.
I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.The following acl has been applied on the inbound to vlan 50:
I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increment.Also I have that I may beed to use VACL wouls this be the case?
Any explanation regarding these different operating temperature ranges? I would think it doesn't matter the enclosure that the switch is in, it will either work or fail at a certain temperature.,-40C to +70C (Vented Enclosure Operating),-20C to +60C (Sealed Enclosure Operating), -34C to +75C (Fan or Blower equipped Enclosure Operating).
I will be installing two Cisco 1921 Routers to connnect a T1 between two offices. We are changing out our current AdTran routers as we would like to bridge three VLAN's across the T1 link. I followed the instructions at (URL) shtml to the best of my ability and my two Gigabit Ethernet ports are tied into a bridged virtual interface (BVI1). I then assigned a IP to BVI1 and another to my Serial0/0/0 then made a route to get to the other side of the T1 and a defualt route out our proxy. What I want to do now is setup QoS to make sure my voice data gets priority.
I setup a QoS ACL called "Voice" with the TCP and UDP source and destination ports that our phone system uses. I then setup a QoS policy on the Serial0/0/0 outgoing interface called "VoiceTraffic" and under the "match" list I match DSCP 46 or my "Voice" access rule. For the action I turned on "Queuing" and set it up for LLQ at 50%. Does this sound about right? Is there anything els eI can setup? I tried ot setup something else on the ethernet side but because they have the BVI I can't. I read some article sin this forum that said I could still apply QoS to the GigabitEthernet ports even if they are in the bridge group but it doens't let me do that.
I have purchased these two switches from ebay as a test lab, I plan to connect them up via a gigastack modulecable and enable ip routing on the c3550 and vlans to talk to each other.
I'm very much a procurve person and really need to get into the cisco switching.I will want to trunklacp between the switches - whats the process is setting that up on cisco switches?
I have a 3560E with 2 vlans that I want to route between. one device with 2 vlans and route between.Interfaces are configured as such:
int g0/11 switchport mode access switchport access vlan 10 int g0/12 switchport mode access switchport access vlan 11
[code]...
Laptops on each port with 10.10.10.2 and 10.10.11.2 configured on them. I can ping from 10.10.10.2 to 10.10.11.1, but not to 10.10.11.2.What do I have to configure to be able to get the 2 laptops to talk to each other?
I am setting up a vm environment for a customer in my lab off site. I have two stacked 3750-x switches, a san, and threes UCS c220 M3S servers for hosts. I am trying to separate the lan traffic, san iscsi traffic, and san management traffic using vlans. The problem is i'm unable to communicate cross vlan with my current config, which I have attached to this post. The only noteworthy things in my conifg is that the ip route 0.0.0.0 0.0.0.0 192.168.83.6 is referring to a switch stack they have on site, that I will connect this stack to using the first two trunk ports on each switch, that I do not have here in the lab. I don't want to cause any confusion in why I have things set a certain way.
I am setting up a new 1921 for a public library and I am running into a problem and I bet I am missing something simple. All the internal stuff works and I can ping the outside IP on the 1921 but can't go any further to the internet. The 1921 has the 2 gig ethernet ports, 0/0 is connected to a DSL getting DHCP settings fine from the DSL modem. The other gig ethernet port 0/1 is running the inside network and its function fine, I have a server on it and other clients and they can ping and get dhcp settings etc.I've pasted the config output below and IP addresses of the main actors. [code]
