Cisco Switching/Routing :: 2911 / 2960S - Multiple VLANs With Different Internet Access
Feb 17, 2013
We need to give differentiated internet access to three VLANs. Each one of this VLANs is used for totally different purposes, so traffic between the VLANs is not allowed. Each VLAN has its own internet access provided for the data center using one fast ethernet connection.
We're thinking about using cisco 2911 for Internet access, VPN and firewall. I suppose that best option for VLANs is using Catalyst 2960S or a swithing module for the 2911, but these two options are too expensive for us. We're thinking about using swtiches from the SB series (maybe a SG-200).
We're totaly newbies to VLANs so we have many doubts. This are our questions:
1) The 2911 has three on board ethernet interfaces; we have three VLANs and three internet connections, so we need to use HWICs to get three more ethernet ports. That's right?
2) We need three HWICs or there is some kind of HWIC with more that one ethernet interface?
3) The routing solution is to assign static routes in the 2911 for each interface connected to a VLAN through a 2911's interface connected to internet?
4) Simply connecting three different router interfaces with three different switch ports, each one of them assigned to one of the three different VLAN, are we going to get internet access for all devices in those VLANs? or do we need to configure something else like trunking, VSIs...?
5) Can we achieve our goals using the SG-200 switch?
6) We have the chance to use older routers, is this possible? We're specially interested in knowing if a 1841 or a 2801 router could be used for this setup.
7) This is not a production environment so we can use refurbished equipment.
Have multiple Catalyst 2960S switches, Cisco 2911 router and ASA 5510 firewall.
On the router have subinterfaces created for the VLAN's Int FA0.0/41 for wirless VLAN setup with IP 10.10.41.100 Int FA0.0/60 for new Voice VLAN setup with IP 10.10.60.100 Internal network is 10.10.10.0/24 and LAN IP of router is 10.10.10.100 Have default route setup to push traffic from the router to the firewall ip route 0.0.0.0 0.0.0.0 10.10.10.251
On the firewall have added the new VLAN 10 (10.10.60.0) to the network object-group Have configured route inside command route 10.10.60.0 255.255.255.0 10.10.10.100 1 Have also added the NAT command nat (inside) 1 10.10.60.0 255.255.255.0
On the 2960 I have my laptop connected to port 45 and I have it configured as follows switchport mode access switchport access vlan 10
I assign my computer a static IP address of 10.10.60.84/255.255.255.0/10.10.60.100 with 10.10.10.11 as DNS server. When I do this, I can ping anything on the 10.10.60.0 network, I can ping anythign on the LAN 10.10.10.0 network. I am able to connect MSN messenger, I am able to do NSLOOKUP and get outside IP addresses to resolve. I am unable to browse the Internet though. I am not sure where the problem is at though. It doesn't make sense to me, as it is setup the same way as VLAN 41 which is the wireless network, and when users connect to that, they get out to the Internet with no issues.
My problem is that I have a Cisco 300 series small business switch with multiple VLANS each one with an IP address and two or three ports assigned to each VLAN. I have an E3200 wireless router that I want to use to use to share internet on the switch. All of the VLANs are reachable from the other VLANs and I've put a static route on the E3200 so that I can reach the VLANs from a machine connected only to the router. But I can't reach machines on the otherside of the router or get to the internet from the switch.
make a couple of SF300 switches to work properly with a C2960S-48TS-L that acts as core switch/basic router. I can't seem to figure out how to assign VLANs correctly in trunk and access mode on the SF300. The 2960S are a no brainer with IOS commands but the webgui in the SF300 is a pain.
I've configured the 2960S with 3 VLANs and I would like to have the SF300 switches connect to the C2960S-48TS-L through VLAN trunk and then configure the ports on the SF300 switches to belong to the assigned VLANs of my choosing. I would also like to have all the SF300 switches management interface in VLAN 50.
This is the deal, I used Acronis for imaging workstations. Obviously when I do that it drags everything down to a halt, as all the ports are being flooded with packets. So what options do I have to image (as opposed to doing it after hours or try to plug all the computers into one isolated switch? = )
VLAN 1 has well everything in it, PXE server, DHCP server and workstationsVoice VLAN 100 is on every trunk or connection a workstation would be attached to.
There is another equipment I'm not illustrating... although a part of me wonders if my topology is correct.
In any case, I've read about IGMP Snooping, CGMP, etc-- but I think the 2960S are only capable of IGMP Snooping.
And from there I'm a little confused about configuration of IGMP...
last week I installed a new router (2911) in my network.We had to create two different VLANs for the new setup to work as wanted.I have a Windows 2008 R2 which is a Domain Controller for Active Directory on the ip address 192.168.0.195.That server (HP DL180 G6) has two NICs. One has the above IP address and the other one has 192.168.0.199.
On the other VLAN, I have a server, running the same OS, that I want to re-join, as it formerly was, the AD on the first server (192.168.0.195). This server has the new IP address 192.168.10.194.All these are connected to a Cisco switch SG 200-50 Gigabit Smart Switch. That one is connected to a Cisco 2911 router.
The problem is that, once the old 192.168.0.194 got to be 192.168.10.194, the 192.168.0.195 can't ping it anymore... At least not all the time... Sometime it works, sometimes not... Neither can't the 10.194 ping the 0.195 all the time. When one way works the other one doesn't... When one pings the other one successfully, the other one can't...
Need to Have both ISP to access internet/servers configure a Cisco 2911 router, It has two ISP one as primary 216.140.140.0, and secondary for backup as 216.150.150.0. I need to be able to access both the ISP's using the same interface Gi0/1. Since we have servers that have to have specific IP both when accessed and when accessing the internet so I used static Nat for the servers and Dynamic for all others. I did the following configuration but it does not work as i want it, if i unplug the Primary ISP from the unmanaged switch the secondary cant access the Internet or network.The secondary only works when the primary and secondary are both connected and have an equal cost Administrative distance, hence it is not available when the primary is down . Even though I can use a sub-interface instead of a secondary Ip address (which worked when I used it) I need to use the same interface using a unmanaged switch to which the outside interface of the router is connected and the two ISP's. Below is my configuration.
interface GigabitEthernet0/0 ip address 10.0.0.254 255.255.255.0 ip nat inside
I couldn't access internet with route specified i know the problem with the route or nat.i have 2911 router [code]
i could ping from lan Ip's to ISP1 and ISP2 gateway IPS. but when i ping to any site llike example gmail.com packet s not moving out to the ISP1 or ISP2 interfaces. [code]
i want to control access to internet on VLAN1 and VLAN2 (access on VLAN3), while providing access to VLAN4.My problem is in connecting to internet, i can't find a way to "route back traffic to VLANs 1 and 2 since HG8245 don't seem to provide proper static routing ON LAN interface. Maybe without resorting to changing the HG8245 router ?
I am trying to setup VLAN's in the company I work for and I am almost there but missing the part when the internet works.I have an SG300 as a L3 Router IP 192.168.0.93.I have created VLAN20 and VLAN40 Assigned VLAN20 192.168.2.1 and VLAN40 192.168.4.1
The static routes have been created and a default router going to the Sonicwall firewall at 192.168.0.1.Port 24 is configured as Untagged VLAN1, Untagged VLAN20 and VLAN40 in trunk mode and going to the Sonicwall NSA 2400. [code]
Working to move all 192.168.0.x network off of VLAN1 and move it a management switch.I have DHCP helper on pointing to the DHCP server.Both VLAN's once the DHCP server is configured to Gateway 192.168.0.93 can get an IP from the correct subnet either 192.168.2.x or 192.168.4.x
All PC's are getting a GW IP of 192.168.2.1 pr 192.168.4.1.All test PC's on both VLAN's can ping each other and any server with the correct GW.When I try to ping google.com or open a web page and try google.com it times out.
I recently set up a Cisco 881 to cover a small business network. The router is currently set up and working as expected. We recently decided to move to VoIP phones and here is where I'm running into some issues.
First an overview: We run a network with a cable internet WAN connection, this connection is DHCP, however we have a static IP through our ISP. We also have a block of 30 additional IP addresses for one to one mapping as we need them. The new VoIP system is being run over T1 lines throughout the township (we are a municipal organization) and the VoIP system is being run to about 5 buildings in the township.
This brings me to the topic of VLANs. As the phone engineer explained it to me, there is a network set up over the T1 that allows the VoIP equipment to talk to one another and operates all of the VoIP phones on one network. The equipment that is being installed at our building connects to the network over the T1 and "talks" to the other equipment on the network. The engineer wants to create a VLAN and run it on ports fa1 and fa2, with the fa2 port being connected to the actual "MPLS" (their term) that connects to the T1 and into the cloud, and the fa1 port connected to the internal phone switch.
TLDR; The problem is this: When we attempt to set up the VLAN on ports fa1 and fa2, we have no connectivity with the other units in the external VoIP cloud. Pinging while directly connected to the "MPLS" yields successful pings, while pinging from the router with the "MPLS" connected to fa2 yields failures. I'm going to post the running config below, I feel like what we're doing should be working. I asked around about subinterfacing, but others seemed to think this was not necessary.
ROUTER CONFIG Building configuration...
Current configuration : 4909 bytes ! ! No configuration change since last restart version 15.1
They have a locked Cisco Router which is from the ISP and its confed on a fa 0/0 interface to share Internet access on the network. The ip on that interface is 195.198.11.217 255.255.255.252 and i tried it with a PC (set my personal ip to .218 and entered their dns info (195.67.199.27) and it is working. The question is now. My friend found a 3550 laying around and since the ISP wont let them conf their router he wants to use the 3550 to create 2 vlans with internet access and without access to eachother. Vlan 10 for the desktops and Vlan 20 for the wireless (Moving on to some netgear wireless switches) How would you configure the 3550 for this to work?
i am trying to set up a cisco 2950 with a vlan to seperate all of the pos machines on the network (4 of them) from all other machnes in the building (3 hard wired and wi-fi). i was going to use vlan 1 as a trunk to allow internet access to go from fa0/1 to both vlans (vlan 10 and vlan 20). i have read things about the acl having an explicit deny at the end, so i'm thinking that is my problem. i am testing it at my house before deploying it to the network. i have 1 laptop setup with an ip of 192.168.0.50, and the other is .60. my router is 192.168.0.1. i have the ethernet from the router plugged into fa0/1, the 1st laptop on fa0/2 and the other at fa0/3. before i set the vlans up, i checked the communication by just plugging them in and trying to ping, they could both ping each other, the router and 8.8.8.8. when i finished setting up the test vlans, they could not ping each other(what i wanted) and laptop 1 can ping the router, and 8.8.8.8. laptop 2 cannot ping anything. the only thing i did was create vlan 10 and 20, set port fa0/2 to vlan 10 and no sh, fa03 to vlan 20 and no sh, fa0/1 to vlan 1 and no sh. then i did switchport mode trunk on fa0/1, and switchport native vlan 1. this seems to be how i was supposed to do it, but it's been a while since i have worked with switches. i'm sure it's simple, but after searching the internet and poring over my cisco books for 5 hours, it is turning out not to be the case. here are some details:
I have a small cisco switch cluster (seven different 2924, 3524cisco switches) with 3550 as a cluster control which does all the inter vlan routing that works fine.
This cluster is in semi production PBX interop testing lab. This is a closed network without internet access and not connected to our corporate network.However now I have to add this capability so some equipment in the lab can get Microsoft updates over the internet.
I've created a port on a 3550 (fa0/19) and connected it to another network that has internet access. It picked an ip address and when I'm logged in to the 3550 I can ping hosts on the outside network. However I can't ping any hosts on that network from any hosts that are connected to my vlans.I've tried a few different things, but still can't make it to work.
Here is a short version of my 3550 configuration:
! version 12.2 no service pad service timestamps debug uptime service timestamps log datetime no service password-encryption
I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.The following acl has been applied on the inbound to vlan 50:
I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increment.Also I have that I may beed to use VACL wouls this be the case?
Switch: SG500 VLANS: 1 (default) xxx.xxx.0.0/24 network, 150 (device management vlan) xxx.xxx.150.0/24 network I am plugged into port 1. This is a trunk port with VLANs assigned as follows: VLAN 1 (Default) - UntaggedVLAN 150 (dev mgmt) - Tagged Device is plugged into port 2. This is an access port with the following VLAN assigned: VLAN 150 - Untagged Why is it I cannot communicate with the device on port 2?
I have a above said switch at my remote office (600KM) which is connected with L2 Point to Point leased line. Both the ends I have Cisco 3950 catalyst switches with Vlans configured at both the ends. Now, for obvious reasons I should remove the other end 3950 switch and replace with Cisco 2950 switch. The other end 3950 is having 4 Vlans configured on 4 ports. Now my requirement is, I should configure 3 Vlans (one for P2P, one for 10 Desktops and one for to bring traffic from other network).
I have a a hardware server running a VM hosting virtual servers which are all on different VLANs. My challenge now is to configure the switchport that the server is connected to, to see all the VLANs needed by this VM. The VM has an IP that is used for managing the server VMs which is on a different VLAN also.
My switch is a 2960 switch and it is presently trunked from the core switch.
I was assigned a task to configure an SG300-28P to have 3 different vlans.Now on VLAN1 their will be only one device configured with static IP 192.168.0.230,On the other 2 VLANS there will be a separate router connected on each one of them and will also act as a DHCP server.
I am aware that private-vlans are not supported on edge switches like 2960 series - so my question is would it be possibel to ceate private vlans on say just the core switch which would be a 3570 or 4506 that supports private vlans and then just trunk these to the edge like normal vlans?
what I need to achive is to have edge port not able to communicate to each other even across switches - which cannot be done using 'protected' port so need the private vlan feature
I would like to configure a 3750 switch port to be able to use two vlans. I know you can do this with a voice and data vlan, but what about two data vlans ? Say I have two devices, one on a 10 subnet and the other on a 172 subnet, but i only have one wall jack for both devices to plug into. So I use a mini switch to connect both devices and connect the switch to the wall jack; and of course this all leads back to one switch port. When I go to enter the switchport access vlan 172 cmd, how would I also make it so the device on the 10 subnet could route out ?
We have a customer that is relocating thier headquarters. They have a temporary requirement to bridge multiple vlans or a router T3 link to the new location as they cannot change the IP subnets. Setup is 3560 switch connecting to a 3845 then T3 to remote 3845 and 3560. I need to bridge multiple VLANs. I have seen a good example on how to do it over sonet but I don't see how to translate that to an HDLC or Frame Relay encapsulation for the T3 Link.
I have a Cisco SG200 26 Port Switch, 2 Cisco WAP4410N Access points, and a VLAN aware Router. I have created 4 VLAN's. For the sake of this conversation lets call them.
The Access points are capable of doing V LAN tagging so I plan on having them tag a guest network as V LAN 101. That can get sent to the V LAN aware router and out. No problem. I have some devices, or management pages that I don't want accessible from the general network. (Intel V pro KVM, Remote Management Cards, AP Config Menus, Switch config menu...) . I need to be able to take a V LAN unaware device, plug it into port 1, and have it communicate with V LAN 98, 99 and 100.
We are about to install a cisco 2911 router to replace a linux based router.
The Cisco will have 5 gig ports, 4 ports connected to DSL modems each modem connected to a different ISP, and the last port connected to a Cisco LAN switch.
802.1q will be used on the internal router port to split the LAN segments up into VLAN's as the building contains lots of different businesses.
Each customer in the building has there own servers and set of public IP addresses assigned e.g
Customer A - ISP 1 uses 81.34.65.78 NAT'd to 10.0.0.1 Vlan 5 port 25 (SMTP) Customer B - ISP 2 uses 217.23.67.87 NAT'd to 192.168.1.1 Vlan 6 port 25 (SMTP)
and so on
The outbound traffic also needs to go out of the correct DSL line which ever has been assigned to that customer.
Am i right in thinking the only way to do this will be to use "Route Maps" ??
(IP addresses above are made up, or at least not ours)
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
I have the following config using a Cisco 1921. I am trying to get devices on the the native VLAN to get internet access via the gateway x.x.x.73.Any thing being routed from the other Vlans 15/20/30 can get access, but nothing from an internal IP address. Is there something I am missing.
The Xs replace the same 3 octets for each interface.I am trying to route from VLANs 15/20/30 to see VLAN 5. I have tried a few things, in terms of adding extra ip routes, but can't get anything to work. Each of those Vlans have another router on the other side of them, which I have also tried adding ip routes too, but nothing. One of the routers (Vlan15 is a Draytek 2830). [code]
