NAT & DHCP on C1760 with switch/InterVLAN routing
Hello,
trying to achieve following (see also Connection diagram.txt attachment):
There is satellite link, which goes to receiver.
Receiver is connected to Cisco 1760 router via switch. From router on serial interface there is one way outgoing satellite link.
On switch between receiver and router resides customers with public and private IP addresses, which can access Internet. Here I do not have problems, using DHCP for assigning private and NAT on stick, everything just works.
Problem is too achieve NAT working on switch (WIC-4ESW), which is inserted into Cisco1760.
Most important that other DHCP pool should be assigned here, we need to use other NAT pool (to split public IP assigned).
DHCP started to work, NAT is working only one way - from private to public IP address.
When reply comes to public IP which should be translated again, it does not.
I see that packets come on VLAN40 interface (see also configuration file of router), but do not see translation happening.
Right now in configuration NAT for VLAN40 is done using NAT on stick.
I also have tried plain NAT (using serial0/0 as NAT outside, no policy route on VLAN40) - result is same.
May be tried to achieve is practically not possible?
Thanks!
Hello,
looking at the configuration of your router, I do not see access list 110, which should be matched in your route map:
access-list 10 permit 192.168.200.0 0.0.0.255
access-list 11 permit 192.168.100.0 0.0.0.255
access-list 100 permit ip any 193.100.100.0 0.0.0.3
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
route-map NAT_Internet permit 10
match ip address 110
set ip next-hop 192.168.1.2
Can you check if this is a typo ?
Regards,
GP
Similar Messages
-
Help with simple interVlan routing on L3 switch
Hi all - I just can't get my head around this really simple interVlan routing issue. I have two VLANs (1 & 6) on a 3560 L3 switch. I simply need to route between them. Here is how I have it set up:
Firewall is the VLAN1 client's default gateway:
10.10.22.1 /255.255.255.0
3560switch config:
ip subnet-zero
ip routing
VLAN1:
(hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
int vlan1
ip address 10.10.22.254 255.255.255.0
no shutdown
VLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
ip address 192.168.25.1 255.255.255.0
no shutdown
ip classless
int gi0/31 (an available unused port)
no switchport
ip address ?.?.?.?
no shutdown
Is the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying to find 192.168.25.x, when they would need to go to 10.10.22.254; then the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then give the router on gi0/31 the 10.10.22.254 address?
(as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)
Thanks for any help!Hi all - I just can't get my head
around this really simple interVlan routing issue. I have two VLANs (1
& 6) on a 3560 L3 switch. I simply need to route between them.
Here is how I have it set up:Firewall is the VLAN1 client's default gateway:
10.10.22.1 /255.255.255.03560switch config:
ip subnet-zero
ip routingVLAN1:
(hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
int vlan1
ip address 10.10.22.254 255.255.255.0
no shutdownVLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
ip address 192.168.25.1 255.255.255.0
no shutdownip classlessint gi0/31 (an available unused port)
no switchport
ip address ?.?.?.?
no shutdown***Is
the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying
to find 192.168.25.x, when they would need to go to 10.10.22.254; then
the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then
give the router on gi0/31 the 10.10.22.254 address?(as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)Thanks for any help!
Hi,
With the above configuuration vlan 1 users will be going to firewll and if they want to reach vlan 6 firewall should have rule to permit for vlan 6 subnet and route towards vlan 6 interface and which is not there is your network.
Just clarify few things you want firewall to come into picture for every traffic which goes between vlan or not and in interface gi0/31 you will be connecting router also is this router is sending traffic to outside world if yes then you need to change some design configuration to route tha traffic from vlans to outside world.
If you want only inter vlan routing between vlan 1 and vlan 6 via firewall then make another zone in firewall and place that in vlan 6 with ip address as given in vlan 1 so that vlan 6 users can point traffic towards vlan 6 interface of firewall and in firewall just permit the vlan 6 communication with vlan 1 and drop a route for vlan 6 towards switch vlan 6 interface.
and if between vlans you dont want firewall to come into picture then the best is create three vlan one for vlan 1,vlan 6 and outside vlan between router and firewall and drop a default route towards firewall.In this case inter vlan routing will be taken care by switch and traffic towards outside world will scaaned as per rule given in firewall.
Hope to help
If helpful do rate the post
Ganesh.H -
Using Catalyst 3550 Switch with Linksys Home Router and Cable Internet
I've about pulled what little hair I have out of my head on this one, and need some configuration help.
I have a Cisco Catalyst 3550 switch with five Windows 7 desktops, an Avaya PBX and five Avaya IP phones attached. All of these devices are on a 192.168.0.0/24 subnet, and are communicating properly. I will refer to this as network # 1. I also have SEPARATE network, we'll call network # 2, using AT&T ADSL service and a Netgear 4-port/wireless router/ADSL modem combo device, which is functioning properly with a couple of other Windows 7 desktops over its own wired Ethernet network, using DHCP, and also on a 192.168.0.0/24 subnet. I thought it would be a simple integration, just plugging one of the 3550's ports to one of the DSL router's ports, in order to give the five Windows 7 desktop computers on network # 1 internet access via the DSL modem. Guess I was wrong. When I connect the two switches together, although I get a good connectivity (green lights on both ports) and am able to ping the DSL router's gateway address (192.168.0.252) from network # 1's computers, the computers on network # 1 cannot access the internet. Also, the working computers on network # 2 lose their internet access as long as the two switches are connected together. I am not a Cisco guru, but there's got to be a way to make this scenario work. Can someone provide me with a 3550 configuration that will allow me to extend my internet service from network # 2 on the DSL router to my 3550 switch and their computers? Here's what I am looking for:
INTERNET ---> ADSL MODEM ---> NETGEAR ROUTER ---> CISCO 3550 SWITCH ---> NETWORK DEVICES WITH INTERNET ACCESSThe Netgear router is probably what's doing the natting. Is the 3550 configured for routing or is it straight L2? If you have the 3550 configured as L3, then it's going to be easy to do what you want. Just add a static route on the Netgear to point the subnet that it doesn't know about to the 3550. For example, if the Netgear is addressed at 192.168.1.1 and the Cisco 3550 is addressed at 192.168.1.2, but it also knows about the 192.168.0.0/24 (separate vlan), then you would put a static route on your Netgear for 192.168.0.0/24 to go to 192.168.1.2.
The way that I would do it is to create a separate vlan on the 3550 and assign an address to it. Once you do that, make the port that the other switch connects to an access port of that vlan. (It would need to be on the same subnet as the existing equipment.) All of your devices would use it as a default gateway and then you would do the rest as above. You could also use RIP between the Netgear and Cisco if you can't do static routing.
HTH,
John -
SGE2010 layer 3 problem with intervlan routing setup
I am new to the small business switches and could use some assistance in configuring intervlan routing between multiple vlans on the switch. I have changed the mode to layer 3 and setup the vlans. When I enter an IP address for VLAN2, I am disconnecting from the configuration interface (VLAN1 ip) on the switch and I cannot access the switch unless I reset it. I have tried this several times and each time it behaves the same. Is there something else I need to setup before configuring the ip address for the other VLANs?
Hi Jacqueline,
Thank you for participating in the Small Business support community. My name is Nico Muselle from Cisco Sofia SBSC.
This is the normal way for the switch to behave. There are 2 ways to work around this.
You assign a port to VLAN2. After configuration of the IP address, you connect your PC to this port and make sure it is in the same subnet as the VLAN 2 IP address.
You assign a static IP to the default vlan first and make sure your connected PC is in the same subnet.
The reason for this behaviour is, that the switch has it's DHCP client enabled, if no DHCP server is available it will revert to it's default IP 192.168.1.254 (through which I assume you connect for configuration).
However, once you configure a static IP on the switch, the DHCP client and the default IP are disabled, which means that the IP address obtained from the DHCP or the default IP of 192.168.1.254 are no longer reachable.
I would go with step 2, as this is the easiest workaround for your issue and you would want a static IP in the default VLAN anyway I suppose.
Hope this helps !
Best regards,
Nico Muselle
Sr. Network Engineer - CCNA -
Branch office setup with L3 switch and router with IOS security
Hello,
I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
Any input would be appreciated.
Thanks,
AustinThanks for the input.
1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3.
3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid. -
Dear All,
Please help me about it ...
The same network I have designed and working fine on the RIPV2 but I want it on the OSPF but it works on the packet tracer but not on the GNS3. In this diagram there are multiple areas and there are three ABRs connected to the backbone area. The others interfaces are in the area1, area2 and area3 respectfully and in that side I need the intervlan routing.
Is it possible in the ospf the same like in the diagram ?
What type of OSPF (Point to Point or Point to Multipoint ) will be required as the R1 is the backbone router further connected with the Internet on the BGP. ?
Please sir, advise me about it.
Thanks
Best Regards
Ali KhanHi Jon,
Thank you very much,
1) The link between the ABRs and R1 is the wireless 1.4gig bridge link on the 5Km distand and the interface is configured with IP ospf network point-to-point.
2) On the packet tracer all the neibour displayed with its router-id, even on GNS3 but it does not show the route of other interface like area 1 or area 2.. Means the backbone router do not show the routes of other areas..(area 1 or area 2 and area 3)
3) i have tried alot and i dont think that i missed any route but the backbone area do not show the routes of subnterface (for Vlan, Router on the Stack).
Thanks
Ali -
No 'ip routing' command on switch and yet intervlan routing.
Hi,
In my companies 4500 switch I see there is intervlan routing configured for the 4 Vlans it has but I do not see any 'ip routing' command on it
to enable routing on the switch. Can a switch route even though the command isnt there?Ran the 'show run all' command and it was there. Thought '
sh run | i ip' would display it but didn't.
Thanks for the command.
We just turned enterprise. I keep forgetting that. -
Using another switch or router with TC???
Do you use another ethernet switch or router with an integrated ethernet switch with your TC??? How do you have things setup?
BTW: I'm running out of physical ethernet ports and I need to use Vonage...
RIf you're out of LAN ports then yes, you need a switch. Plug it into your TC and plug other stuff into the switch. Simple.
When buying a switch, remember one of its ports will be occupied by the connection to the TC. For example, if you're using all three TC LAN ports, buying a five port switch results in a net gain of only three ports: one of them is needed for the uplink, and the one you had to unplug from the TC must now be connected to the switch... three remain.
Fortunately they're not expensive. -
Problem with Cisco 861W router and outgoing VPN
We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
Here is the Access Point Configuration:
Current configuration : 2100 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname obap
enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
no aaa new-model
dot11 syslog
dot11 ssid OLIVER
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXXXXXX
username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid OLIVER
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecti
ng AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner login ^CC
% Password change notice.
Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
^C
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
cns dhcp
end
obap#
Here is the Router's Configuration:
Current configuration : 5908 bytes
! No configuration change since last restart
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname obrouter
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1856757619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1856757619
revocation-check none
rsakeypair TP-self-signed-1856757619
crypto pki certificate chain TP-self-signed-1856757619
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool ccp-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 216.49.160.10 216.49.160.66
default-router 192.168.0.1
ip cef
no ip bootp server
ip domain name brushhog.com
ip name-server 216.49.160.10
ip name-server 216.49.160.66
license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Any help would be appreciatedHello,
i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Can someone help?
Thank you.
Here is my config for internal AP and router. -
Need help InterVlan Routing on SF300-24P? .
Hello
I really need help with Inter vlan routing via Kerio Controll 7.4.1.
I have several SF300-24P switches (IOS 1.3.0.62) and i have created a several VLAN's.
Vlans: Vlan 10, 100, 200 and interface vlan 213 (for management).
I can ping hosts in the same Vlan via this switches. From switch to host, port is in access mode and between switches ports is in Trunk mode
(also i had a problem here, trunk wasn't working untill i used command: switchport trunk allowed vlan add all).
Also port is in Trunk mode between KERIO and SW1 (switch). interface is in TRUNK mode from switch's side because i don't know how configure interface TRUNK mode on kerio.
On kerio i have configed one physical interface with IP - 172.16.0.1 255.255.255.0 and on the same interface i have created
VLAN 10, VLAN 100 and VLAN 200.
static IP's for this interfaces:
10.0.0.1 255.255.255.0 VLAN 10
192.168.100.1 255.255.255.0 VLAN 100
192.168.200.1 255.255.255.0 VLAN 200
On KERIO i have created DHCP Lease for each VLAN, but i cannot get IP's from DHCP. So i assigned static IP's to computers
(for example for VLAN100 PC, VLAN 200 PC and so on) but they cannot ping each other when they are in different vlans, so inter vlan routing itsnot working. but with static IP on the PC, i can ping every VLAN's IP address on KERIO.
so pls tell me how i must configure inter vlan routing on kerio, is it possible?
or what must i do? where is my mistake? maybe when i put IP on pysical interface?
here is my configs and pls help and give me config example.
config-file-header
SW1
v1.3.0.62 / R750_NIK_1_3_647_260
CLI v1.0
set system mode switch
file SSD indicator plaintext
vlan database
vlan 10,100,200,213
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname SW1
username administrator password encrypted 7fc3774d79570c81cda124d5dcf80b8ae0fcdd6c privilege 15
username cisco password encrypted 1defefd1f4a214009775b2c2b6b961a77da384b5 privilege 15
interface vlan 10
name Staff
interface vlan 100
name Cards
interface vlan 200
name AP's
interface vlan 213
name Management
ip address 172.16.213.1 255.255.255.0
no ip address dhcp
interface fastethernet1
description MANAGEMENT-VLAN
spanning-tree disable
switchport mode access
switchport access vlan 213
interface fastethernet2
spanning-tree disable
switchport mode general
switchport general acceptable-frame-type untagged-only
interface fastethernet3
spanning-tree disable
switchport mode general
switchport general acceptable-frame-type untagged-only
interface fastethernet4
spanning-tree disable
switchport mode access
switchport access vlan 200
interface fastethernet5
spanning-tree disable
switchport mode access
switchport access vlan 200
interface fastethernet6
spanning-tree disable
switchport mode access
switchport access vlan 100
interface fastethernet7
spanning-tree disable
switchport mode access
switchport access vlan 100
interface gigabitethernet1
description Direction-To-SW2 <--- This port is Trunk, but its not showing here for some reason.
spanning-tree disable
interface gigabitethernet2
description Direction-To-KERIO <--- This port is Trunk also. i used: switchport mode trunk on both interfaces
spanning-tree disable
exit
banner login
SW1
config-file-header
SW2
v1.3.0.62 / R750_NIK_1_3_647_260
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
vlan database
vlan 10,100,200,213
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname SW2
username administrator password encrypted 7fc3774d79570c81cda124d5dcf80b8ae0fcdd6c privilege 15
username cisco password encrypted 1defefd1f4a214009775b2c2b6b961a77da384b5 privilege 15
interface vlan 10
name Staff
interface vlan 100
name Cards
interface vlan 200
name AP's
interface vlan 213
name Management
ip address 172.16.213.2 255.255.255.0
no ip address dhcp
interface fastethernet1
description MANAGEMENT-VLAN
spanning-tree disable
switchport mode access
switchport access vlan 213
interface fastethernet2
spanning-tree disable
switchport mode general
switchport general acceptable-frame-type untagged-only
interface fastethernet3
spanning-tree disable
switchport mode general
switchport general acceptable-frame-type untagged-only
interface fastethernet4
spanning-tree disable
switchport mode access
switchport access vlan 200
interface fastethernet5
spanning-tree disable
switchport mode access
switchport access vlan 200
interface fastethernet6
spanning-tree disable
switchport mode access
switchport access vlan 100
interface fastethernet7
spanning-tree disable
switchport mode access
switchport access vlan 100
interface fastethernet8
spanning-tree disable
switchport mode access
switchport access vlan 100
interface gigabitethernet1
description Direction-To-SW1 <--- This port is Trunk also. i used: switchport mode trunk
exit
banner login
SW2
i have excluded many interfaces because hey have same configs.Yes Kerio is capable for routing. i wanted to make InterVlan routing via kerio Ccontroll, but i can't and that's i asked here, i need to know reason.
I have modified 1 switch to L3, and inter vlan routing its now working (without Kerio) and i hope this switches dont have problem when they are DHCP server also.
thanx for help. I Hope i didnot have much mistakes in config. -
Best practice for intervlan routing?
are there some best practices for intervlan routing ?
I've been reading allot and I have seen these scenarios
router on a stick
intervlan at core layer
intervlan at distribution layer.
or is intervlan needed at all if the switches will do the routing?
I've done all of the above but I just want to know what's current.The simple answer is it depends because there is no one right solution for everyone.
So there are no specific best practices. For example in a small setup where you may only need a couple of vlans you could use a L2 switch connected to a router or firewall using subinterfaces to route between the vlans.
But that is not a scalable solution. The commonest approach in any network where there are multiple vlans is to use L3 switches to do this. This could be a pair of switches interconnected and using HSRP/GLBP/VRRP for the vlans or it could be stacked switches/VSS etc. You would then dual connect your access layer switches to them.
In terms of core/distro/access layer in general if you have separate switches performing each function you would have the inter vlan routing done on the distribution switches for all the vlans on the access layer switches. The core switches would be used to route between the disribution switches and other devices eg. WAN routers, firewalls, maybe other distribution switch pairs.
Again, generally speaking, you may well not need vlans on the core switches at all ie. you can simply use routed links between the core switches and everything else.
The above is quite a common setup but there are variations eg. -
1) a collapsed core design where the core and distribution switches are the same pair. For a single building with maybe a WAN connection plus internet this is quite a common design because having a completely separate core is usually quite hard to justify in terms of cost etc.
2) a routed access layer. Here the access layer switches are L3 and the vlans are routed at the access layer. In this instance you may not not even need vlans on the distribution switches although again to save cost often servers are deployed onto those switches so you may.
So a lot of it comes down to the size of the network and the budget involved as to which solution you go with.
All of the above is really concerned with non DC environments.
In the DC the traditional core/distro or aggregation/access layer was also used and still is widely deployed but in relatively recent times new designs and technologies are changing the environment which could have a big impact on vlans.
It's mainly to do with network virtualisation, where the vlans are defined and where they are not only routed but where the network services such as firewalling, load balancing etc. are performed.
It's quite a big subject so i didn't want to confuse the general answer by going into it but feel free to ask if you want more details.
Jon -
Switched out router, now no LAN
I had an old router that was dropping my DSL so I switched it out with a new WRT54G. All my computers can connect to the internet but my LAN doesn't work. I can't see any of the network computers and have no file or device sharing. When I switch back to the old router the LAN works fine.
This is my office network and I hella need this to all work as soon as possible.
I'm an idiot about all this stuff. Can anybody help me with this? Thank you.
SteveThank you for your assistance but I continue to have LAN problems. When I reinstalled my old router, which also is a Linksys, I went to the web based setup and checked all the settings so as to match them all on the new router. Of particular note is on the Status page I can get a list of the DHCP clients, which show all the computers on the LAN with the old router. I have checked the IP addresses, etc. and enabled DHCP on the new router, but when I go to the Status page and click on the DHCP Clients tab I do not see any of the computers on the LAN.
Additionally, I have already ran the Windows Network Setup Wizard after installing the new router, turned off the Windows Firewall, and have also disabled my Norton Internet Security software. None of which seems to make any difference.
Thank you again for your assistance. Any more suggestions? -
RV320: DHCP Option 82 + DHCP relay at Ethernet switch
We purchased a RV320 router and want to use the DHCP Option 82 IP Assignment in combination with a ZyXEL GS1910-24 Smart Managed Switch.
The switch is able to insert Option 82 Circuit-IDs into DHCP requests, if they are relayed to a specific DHCP server. So there must be configured exactly one IP address of the DHCP server in the switch configuration (eg 192.168.1.1). The problem is, that the RV320 creates different IP subnets for different Circuit-IDs. So the RV320-router has multiple IPs, one unique IP per subnet (192.168.1.1, 192.168.2.1, 192.168.3.1, ...).
How can I use the Option 82 IP assignment with this configuration?
Is a routing/firewall rule at the RV320 a solution (to forward DHCP requests from subnet specific IP - eg 192.168.3.1 - to exactly one IP, eg 192.168.1.1)?mpyhala,
seems not to work as the RV320 is restricted to 6 custom VLANs (+ 1 Management VLAN with ID 1).
Maybe I should describe the whole scenario, which should be implemented:
The configuration is like for a small hotel: each room should be logically seperated from each other (no inter-room traffic for security) and each rooms bandwidth should be managed.
Bandwidth management at the RV320 relies on IP addresses. So I need to achieve somehow, that a room (= port number on switch) is always assigned a specific IP address.
14 rooms should be covered in that way.
The problem is currently the link IP<->Switch Port. I thought DHCP option 82 is the way to go, but VLANs (one VLAN for each room) may be also a solution. Unfortunately none of the two ways work.
What can be a solution? Was the RV320 the wrong decision (not enough flexibility)?
Thanks. -
My iphone5 wireless performance isnt great with my new router
Ive had zero problems before with my old one, but it was giving me NAT problems with my xbox. So I decided to switch my router and I got the new one. The cisco EA3500. It works great with my Xbox and PlayStation but it doesn't work so great with my iPhone5. Ive noticed that my videos often stop or give me errors on youtube when they didnt before or when i turn off my wireless. It doesn't matter whether I'm close or far from the router it is the same bad performance. Are there any settings I can play with??
Id also like to mention that i have rebooted everything and it has changed nothing. Im on Wireless N, 2.5 channel.
-
Etherchannel on esw520s and intervlan routing
Hello
I have a couple of uc520s
2 - esw - 520-24p
2 - esw - 520-48p
1 - 3560x switch
the 3560x is our core switch. my uplinks between the core and the 4 esw. i was able to get the etherchannels configured and "working" however the fact that the vlan 1 on the esw is the native vlan, i change the native vlan to be vlan 20 and i'm really struggling with this
I have 5 vlans configured on the 4 esw switches data, voice, management, servers, guest.
i can't get the intervlan routing to work properly on the esw. If i configure any vlan on the 3560 i have access to the management vlan
however if i connect my pc to any port on the esw switches i don't have access to the management vlan at all. for some reason intervlan routing isn't properly working. if i want to have access to the management vlan on the esw switches i need to assign a port on the esw to be on the management vlan
if i use the common scenario, all the ports being voice + data, i can't manage any of the switches at all
what else should i do to get this fixed ?
is it something on the ether channels or am i missing something else ?
thanksHelloI have a couple of uc520s2 - esw - 520-24p 2 - esw - 520-48p1 - 3560x switchthe 3560x is our core switch. my uplinks between the core and the 4 esw. i was able to get the etherchannels configured and "working" however the fact that the vlan 1 on the esw is the native vlan, i change the native vlan to be vlan 20 and i'm really struggling with thisI have 5 vlans configured on the 4 esw switches data, voice, management, servers, guest. i can't get the intervlan routing to work properly on the esw. If i configure any vlan on the 3560 i have access to the management vlanhowever if i connect my pc to any port on the esw switches i don't have access to the management vlan at all. for some reason intervlan routing isn't properly working. if i want to have access to the management vlan on the esw switches i need to assign a port on the esw to be on the management vlanif i use the common scenario, all the ports being voice + data, i can't manage any of the switches at allwhat else should i do to get this fixed ?is it something on the ether channels or am i missing something else ?thanks
Hi,
Can you put up your network in diagramtic representation view, do that it will be helpful for more understanding.
Ganesh.H
Maybe you are looking for
-
I bought a X10 wireless Security Camera last year and it took me months to figure out how to set it up to access the video both inside my home and through my iPhone remotely, even on my Mac at my office. I thought I would provide my process of getti
-
Error while trying to open RME home in Ciscoworks LMS 3.2
Dear friends, I get the following error while trying to open RME home. "Error occurred while fetching Out-of-Sync count" Here's the exact error message: HOME0004: Error occurred while fetching Out-of-Sync count. Check RMEHome.log for more details. Pl
-
CRM Communication structure not working in a copy client
Hi all, my issue is the following. In client 300 CRM, defined as copy of client 100 communication structure CRMT_ACS_I_COM is not filled by implementation of BADI CRM_COND_COM_BADI . Basically it is supposed that once you fill manually a field conta
-
Case when statement not working
hi there, I am trying to work out how to get my case statement to work. I have got the following code. select pthproto.pthdbo.cnarole.tpkcnarole, pthproto.pthdbo.cnaidta.formataddr as formataddr, cnaidta.dateeffect as maxdate, isnull(cast (pthproto.
-
Bug in function mdsys.sdo_geom.sdo_intersection() ?
Hi, I got a strange result from the spatial subprogram SDO_GEOM.SDO_INTERSECTION( geom1 IN SDO_GEOMETRY, dim1 IN SDO_DIM_ARRAY, geom2 IN SDO_GEOMETRY, dim2 IN SDO_DIM_ARRAY ) RETURN SDO_GEOMETRY; I’m calling the function three times, passing each tim