VLAN-routing

Discussion in 'Cisco' started by Pawn D, Nov 17, 2004.

  1. Pawn D

    Pawn D Guest

    We've got a Catalyst 2950, which has four port-based VLANs configured
    in it. One switch port is a trunk link to 1760 router. The 1760 has
    only one 10/100 Ethernet port.

    We want the 1760 to route all the packets from VLAN 1, 2 and 3 to VLAN
    4, from where there's a connection to the Internet. VLAN 4 in
    configured on a single port on the Catalyst 2950. That port is
    connected to the ISP's CPE. So, all traffic should go to the router
    through the trunk link, and also come back along the same link, and
    then go to the VLAN4 switch port. Can we do this? How do we configure
    the C1760?

    We also want to make sure, that the users in the first three VLANs
    don't see each others. Some sort of access lists here?

    Now we've got the router set up like this:

    int fa0/0
    no ip address

    int fa0/0.1
    encapsulation dot1q 1
    ip address 192.168.1.1

    int fa0/0.2
    encapsulation dot1q 2
    ip address 192.168.2.1

    int fa0/0.3
    encapsulation dot1q 3
    ip address 192.168.3.1

    int fa0/0.4
    encapsulation dot1q 4
    ip address 10.10.10.2

    The CPE's IP is 10.10.10.1.


    Pawn D.
    Pawn D, Nov 17, 2004
    #1
    1. Advertising

  2. Pawn D

    Ivan Ostreš Guest

    In article <>,
    says...
    > The CPE's IP is 10.10.10.1.
    >
    >


    add 'ip route 0.0.0.0 0.0.0.0 10.10.10.1'. That should do it..

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Nov 17, 2004
    #2
    1. Advertising

  3. Pawn D

    Pawn D Guest

    Ivan Ostre? <> wrote in message news:<>...
    > In article <>,
    > says...
    > > The CPE's IP is 10.10.10.1.

    > add 'ip route 0.0.0.0 0.0.0.0 10.10.10.1'. That should do it..


    That's all that is needed? Ok, thanks. Then... how to make sure
    that the users from different VLANs don't see each others, and they
    are only allowed to access the CPE?

    Any sample configs for suggested ACLs? Or what about IRB? Someone
    said we should put VLANs 1-3 into a IRB group, not allow it to
    route inside of it, but allow it to route into VLAN 4. Any pointers
    how to create this sort of config?

    Pawn D.
    Pawn D, Nov 18, 2004
    #3
  4. Pawn D

    Ivan Ostreš Guest

    In article <>,
    says...
    > Ivan Ostre? <> wrote in message news:<>...
    > > In article <>,
    > > says...
    > > > The CPE's IP is 10.10.10.1.

    > > add 'ip route 0.0.0.0 0.0.0.0 10.10.10.1'. That should do it..

    >
    > That's all that is needed? Ok, thanks. Then... how to make sure
    > that the users from different VLANs don't see each others, and they
    > are only allowed to access the CPE?
    >
    > Any sample configs for suggested ACLs? Or what about IRB? Someone
    > said we should put VLANs 1-3 into a IRB group, not allow it to
    > route inside of it, but allow it to route into VLAN 4. Any pointers
    > how to create this sort of config?


    Well, I wouldn't do that IRB stuff you're talking about since I have
    some really bad epiriences with it. (Since you don't have bad
    expiriences you can always try :) ).

    The most simple way is to create 4 outgoing access lists in outgoing
    direction. Like this:

    int fa0/0.1
    encapsulation dot1q 1
    ip address 192.168.1.1
    ip access-group 101 out

    access-list 101 deny ip any 192.168.2.0 0.0.0.255
    access-list 101 deny ip any 192.168.3.0 0.0.0.255
    access-list 101 deny ip any 192.168.4.0 0.0.0.255
    access-list 101 permit ip any any


    I hope you got the idea.. you need to have in access lists all subnets
    other than one on which you're putting that access-list.


    HTH,
    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Nov 18, 2004
    #4
  5. Pawn D

    Toby Guest

    "Ivan Ostres" <> wrote in message
    news:...
    > In article <>,
    > says...
    >
    > Well, I wouldn't do that IRB stuff you're talking about since I have
    > some really bad epiriences with it. (Since you don't have bad
    > expiriences you can always try :) ).
    >
    > The most simple way is to create 4 outgoing access lists in outgoing
    > direction. Like this:
    >
    > int fa0/0.1
    > encapsulation dot1q 1
    > ip address 192.168.1.1
    > ip access-group 101 out
    >
    > access-list 101 deny ip any 192.168.2.0 0.0.0.255
    > access-list 101 deny ip any 192.168.3.0 0.0.0.255
    > access-list 101 deny ip any 192.168.4.0 0.0.0.255
    > access-list 101 permit ip any any
    >
    >
    > I hope you got the idea.. you need to have in access lists all subnets
    > other than one on which you're putting that access-list.
    >
    >

    I wouldn't do it quite like that, as it is recomended and more efficient to
    apply extended access list inbound. Also the network address 192.168.4.0 is
    not part of this setup.

    Try this instead

    access-list 101 deny ip any 192.168.1.0 0.0.0.255
    access-list 101 deny ip any 192.168.2.0 0.0.0.255
    access-list 101 deny ip any 192.168.3.0 0.0.0.255
    access-list 101 permit ip any any

    int fa0/0.1
    ip access-group 101 in

    and repeat "ip access-group 101 in" for the other 2 interfaces in the
    192.168 ranges.

    This would stop VLAN 1,2 & 3 traffic destined to VLAN 1,2 & 3 with no
    restrictions on Vlan 4. Don't wory about the fact that we are restricting
    traffic from Vlan1,2,3 to themselves as no traffic destined for there own
    lan address space would be or should be routed anyway (split horizon rule)
    and this prevents the need for multiple access lists being defined.

    and as you want all traffic entering the router to destined for the internet
    to hit your firewall at 10.10.10.1 to be NAT and forwarded on to the
    internet, you will also require a default route.

    ip route 0.0.0.0 0.0.0.0 10.10.10.1

    Regards

    Toby
    Toby, Nov 18, 2004
    #5
  6. Pawn D

    Pawn D Guest

    Ivan Ostre? <> wrote in message news:<>...
    > In article <>,
    > says...
    > > That's all that is needed? Ok, thanks. Then... how to make sure
    > > that the users from different VLANs don't see each others, and they
    > > are only allowed to access the CPE?

    > Well, I wouldn't do that IRB stuff you're talking about since I have
    > some really bad epiriences with it. (Since you don't have bad
    > expiriences you can always try :) ).


    Any idea where could we find good examples about IRB for this sort of
    situation? Cisco's site didn't provide much information...

    > The most simple way is to create 4 outgoing access lists in outgoing
    > direction. Like this:
    > int fa0/0.1
    > encapsulation dot1q 1
    > ip address 192.168.1.1
    > ip access-group 101 out
    > access-list 101 deny ip any 192.168.2.0 0.0.0.255
    > access-list 101 deny ip any 192.168.3.0 0.0.0.255
    > access-list 101 deny ip any 192.168.4.0 0.0.0.255
    > access-list 101 permit ip any any
    > I hope you got the idea.. you need to have in access lists all subnets
    > other than one on which you're putting that access-list.


    When we used the above config, it didn't seem to stop any traffic.
    We could ping all the 192.168.x.1 router interfaces from all the VLANs.

    But, when applied to incoming interfaces instead (with the
    "ip access-group 101 in" command) it worked. What do you make of that?

    Thanks again...

    Pawn D.
    Pawn D, Nov 18, 2004
    #6
  7. Pawn D

    Toby Guest

    "Pawn D" <> wrote in message
    news:...
    > Ivan Ostre? <> wrote in message
    > news:<>...
    >> In article <>,
    >> says...
    >> > That's all that is needed? Ok, thanks. Then... how to make sure
    >> > that the users from different VLANs don't see each others, and they
    >> > are only allowed to access the CPE?

    >> Well, I wouldn't do that IRB stuff you're talking about since I have
    >> some really bad epiriences with it. (Since you don't have bad
    >> expiriences you can always try :) ).

    >
    > Any idea where could we find good examples about IRB for this sort of
    > situation? Cisco's site didn't provide much information...
    >
    >> The most simple way is to create 4 outgoing access lists in outgoing
    >> direction. Like this:
    >> int fa0/0.1
    >> encapsulation dot1q 1
    >> ip address 192.168.1.1
    >> ip access-group 101 out
    >> access-list 101 deny ip any 192.168.2.0 0.0.0.255
    >> access-list 101 deny ip any 192.168.3.0 0.0.0.255
    >> access-list 101 deny ip any 192.168.4.0 0.0.0.255
    >> access-list 101 permit ip any any
    >> I hope you got the idea.. you need to have in access lists all subnets
    >> other than one on which you're putting that access-list.

    >
    > When we used the above config, it didn't seem to stop any traffic.
    > We could ping all the 192.168.x.1 router interfaces from all the VLANs.
    >
    > But, when applied to incoming interfaces instead (with the
    > "ip access-group 101 in" command) it worked. What do you make of that?
    >
    > Thanks again...
    >
    > Pawn D.


    The reason the ping's worked on testing from an host/device say connected to
    VLAN1 to the routers interface configured to be in VLAN2 is that the ICMP
    echo never left the interface for VLAN2 but the Echo reply turned around
    inside the router without seeing the ACL placed on the interface for VLAN2.

    The ICMP Echo Reply was then generated internally inside the router and any
    traffic originating from inside the router does not pass through any ACL.

    You would find though that a Ping from an host in VLAN1 to an Host on VLAN2
    would fail as it would try to leave the Interface conecting VLAN2.

    It is not a good idea to use extended access list's as outbound and this is
    just one reason.

    To prevent myself repeating myself see my previous post for how I would
    configure this.

    Toby
    Toby, Nov 18, 2004
    #7
  8. Pawn D

    Ivan Ostreš Guest

    In article <>,
    says...
    > When we used the above config, it didn't seem to stop any traffic.
    > We could ping all the 192.168.x.1 router interfaces from all the VLANs.
    >
    > But, when applied to incoming interfaces instead (with the
    > "ip access-group 101 in" command) it worked. What do you make of that?
    >
    >


    That was a typo ("out"). When you look at the access list, it is clear
    that it can't stop anything when used together with "ip access-group 101
    out" statement since direction is totaly opposite.

    Sorry, my mistake.

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Nov 18, 2004
    #8
  9. Pawn D

    Ivan Ostreš Guest

    In article <jo6nd.141$>,
    says...
    > I wouldn't do it quite like that, as it is recomended and more efficient to
    > apply extended access list inbound. Also the network address 192.168.4.0 is
    > not part of this setup.
    >
    >
    >


    When I think better, it wouldn't really work with "out" statement at
    all, not just being unefficient. It was a totally wrong direction..


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Nov 18, 2004
    #9
  10. Pawn D

    Ivan Ostreš Guest

    In article <dW6nd.146$>,
    says...
    > The reason the ping's worked on testing from an host/device say connected to
    > VLAN1 to the routers interface configured to be in VLAN2 is that the ICMP
    > echo never left the interface for VLAN2 but the Echo reply turned around
    > inside the router without seeing the ACL placed on the interface for VLAN2.
    >
    > The ICMP Echo Reply was then generated internally inside the router and any
    > traffic originating from inside the router does not pass through any ACL.
    >
    > You would find though that a Ping from an host in VLAN1 to an Host on VLAN2
    > would fail as it would try to leave the Interface conecting VLAN2.
    >
    > It is not a good idea to use extended access list's as outbound and this is
    > just one reason.
    >
    > To prevent myself repeating myself see my previous post for how I would
    > configure this.
    >


    I agree with all this. Outbound list do not touch router originated
    traffic anyway.

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Nov 19, 2004
    #10
  11. Pawn D

    Pawn D Guest

    "Toby" <> wrote in message news:<jo6nd.141$>...
    > Try this instead
    > access-list 101 deny ip any 192.168.1.0 0.0.0.255
    > access-list 101 deny ip any 192.168.2.0 0.0.0.255
    > access-list 101 deny ip any 192.168.3.0 0.0.0.255
    > access-list 101 permit ip any any
    > int fa0/0.1
    > ip access-group 101 in
    > and repeat "ip access-group 101 in" for the other 2 interfaces in the
    > 192.168 ranges.


    Thanks, this works. Now the hosts in different VLANs can't reach
    each others. But, there's still something odd with the setup...
    the hosts cannot reach the CPE.

    > and as you want all traffic entering the router to destined for the internet
    > to hit your firewall at 10.10.10.1 to be NAT and forwarded on to the
    > internet, you will also require a default route.
    > ip route 0.0.0.0 0.0.0.0 10.10.10.1


    Yep, that would be what we want. But it doesn't work.

    We've got these lines in the 1760:

    ip routing
    ip cef
    ip route 0.0.0.0 0.0.0.0 10.10.10.1

    From the 1760 console, we can ping the CPE's 10.10.10.1 interface, but
    the hosts behind the 2950 switch can't reach it. The hosts can ping the
    1760's 10.10.10.2 interface (VLAN4), but not the CPE at 10.10.10.1.
    And because of this, none of the hosts are able to access the Internet.

    The default gateways for the hosts are configured as 192.168.1.1 for VLAN1,
    192.168.2.1 for VLAN2 and 192.168.3.1 for VLAN3. It doesn't matter if we
    use these access-lists for inter-VLAN 1-3 control or not, the hosts
    never reach anything beyond the 10.10.10.2

    What could be the cause of this problem?

    Pawn D.
    Pawn D, Nov 19, 2004
    #11
  12. Pawn D

    Toby Guest

    "Pawn D" <> wrote in message
    news:...
    > "Toby" <> wrote in message
    > news:<jo6nd.141$>...
    >> Try this instead
    >> access-list 101 deny ip any 192.168.1.0 0.0.0.255
    >> access-list 101 deny ip any 192.168.2.0 0.0.0.255
    >> access-list 101 deny ip any 192.168.3.0 0.0.0.255
    >> access-list 101 permit ip any any
    >> int fa0/0.1
    >> ip access-group 101 in
    >> and repeat "ip access-group 101 in" for the other 2 interfaces in the
    >> 192.168 ranges.

    >
    > Thanks, this works. Now the hosts in different VLANs can't reach
    > each others. But, there's still something odd with the setup...
    > the hosts cannot reach the CPE.
    >
    >> and as you want all traffic entering the router to destined for the
    >> internet
    >> to hit your firewall at 10.10.10.1 to be NAT and forwarded on to the
    >> internet, you will also require a default route.
    >> ip route 0.0.0.0 0.0.0.0 10.10.10.1

    >
    > Yep, that would be what we want. But it doesn't work.
    >
    > We've got these lines in the 1760:
    >
    > ip routing
    > ip cef
    > ip route 0.0.0.0 0.0.0.0 10.10.10.1
    >
    > From the 1760 console, we can ping the CPE's 10.10.10.1 interface, but
    > the hosts behind the 2950 switch can't reach it. The hosts can ping the
    > 1760's 10.10.10.2 interface (VLAN4), but not the CPE at 10.10.10.1.
    > And because of this, none of the hosts are able to access the Internet.
    >
    > The default gateways for the hosts are configured as 192.168.1.1 for
    > VLAN1,
    > 192.168.2.1 for VLAN2 and 192.168.3.1 for VLAN3. It doesn't matter if we
    > use these access-lists for inter-VLAN 1-3 control or not, the hosts
    > never reach anything beyond the 10.10.10.2
    >
    > What could be the cause of this problem?
    >
    > Pawn D.


    Hi Pawn

    Can the hosts reach the router interface Vlan4 10.10.10.2 if they can but
    can't get to the other side of the switch then I suspect either the VLAN4
    not be set up correctly or perhaps the link between the switch to the
    firewall, or even your firewall itself.

    I can't see any problem with your router config of the bits you've shown.

    Other things to check are.

    1) Does network 10.10.10.0 appears in the routing table to start with as a
    connected interface. "SHOW IP ROUTE"

    2) Do a "SHOW ARP | INC 10.10.10" does 10.10.10.1 as well as 10.10.10.2
    appear in the display with their Mac-Addresses.
    If only 10.10.10.2 appears then Ping 10.10.10.1 from the router if that
    fails immediately do another SHOW ARP | INC 10.10.10" if 10.10.10.1 is
    showing incomplete then this shows an ARP message left the router to try and
    discover the MAC address of the Firewall but never got a responce. This will
    prove routing out of the Fast-Ethernet port. N.B. if it is still missing
    then it could be that you waited around as the incompletes dont wait around
    forever in the ARP cache (not sure how long so dont hang around). If it
    still isn't in the list then you have a routing problem. I can't see it
    being an interface problem as you are using the same interface for the other
    VLANs.

    3) If you had an incomplete for 10.10.10.1 then I would suspect my original
    theory. I am not to hot with switches apart from theory usually resulting in
    feeling my way through the commands, but I would check your config on the
    switch and the connections/cables to firewall. One check you can do is if
    the switch can see the Mac addresses of both the router and firewall for
    VLAN4. Something like "SHOW MAC-ADDRESS ?" might help but some switches use
    "SHOW CAM DYNAMIC 4" but again I stress I never know exactly which commands
    work on which type of switches.

    If you think this is a routing problem then post your full config minus
    passwords of course, along with the "SHOW IP ROUTE" and "SHOW IP INTERFACE
    BRIEF" and I'll try to be of further assistance.

    regards

    Toby
    Toby, Nov 19, 2004
    #12
  13. Pawn D

    Toby Guest

    Hi again

    I don't think I read your post properly (sorry hectic day).

    Anyway as you and your hosts can reach the 1760 interface 10.10.10.2 and the
    1760 internal generated trafic can reach the firewal (CPE) interface of
    10.10.10.1 then either you have an access list on the 10.10.10.2 interface
    outbound checking source addresses (unlikely) or the firewall is set up to
    deny ICMP attempts.

    Try and do an extended ping from within the 1760 to 10.10.10.1 sourcing the
    address from 192.168.1.1 remember this is only changing the source address
    and not actually using the source interface or its ACL. If this fails then I
    suspect the firewall is blocking it but allowing ICMP traffic from
    10.10.10.2 which is the default source address with pings through this
    interface.

    To check use SH INT FA0/0.4 for trafic outbound/inbound before and after
    each ping. If you see it went out but not returned then this will be due to
    the firewall. This might mean you do not have a problem at all but if the
    hosts can not access the Internet then the firewall would be the problem.

    If it fails but you see return traffic on the interface then this return
    traffic is being affected by an access-list or policy preventing the packets
    from being routed(again unlikely from the info you have already given)

    Now we are entering the land of make believe. If your extended pings work
    and the hosts still cant ping the firewall then this will be due to the
    return ECHO Replies being bared from exiting the router on the right
    interface with an access list outbound on the VLAN1,2,3 interfaces. Like I
    said land of make believe from what you have told me so far.

    regards

    Toby
    Toby, Nov 19, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul

    VLAN or Not to VLAN

    Paul, Oct 27, 2003, in forum: Cisco
    Replies:
    0
    Views:
    523
  2. Neil Rowland

    Auxiliary VLAN V VLan

    Neil Rowland, Apr 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    541
    Phil Dotchon
    Apr 14, 2004
  3. PS2 gamer
    Replies:
    1
    Views:
    898
    Ivan Ostres
    May 28, 2004
  4. avraham shir-el
    Replies:
    4
    Views:
    8,402
    avraham shir-el
    Jul 20, 2004
  5. JohnD
    Replies:
    3
    Views:
    4,145
    stephen
    Dec 18, 2007
Loading...

Share This Page