Announcement

Collapse
No announcement yet.

Cisco 871: VLANS won't communicate with each other

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 871: VLANS won't communicate with each other

    Hi everyone. I've been tasked with setting up a new Cisco 871. It actually turning out to be very difficult. I hope someone can help. I've been searching for an answer for days now.

    I've set up 4 VLANs on my 871, with each VLAN assigned to an individual switchport on the 871. Each VLAN can successfully NAT out to the Internet via a small pool of 2 ip addresses given to me by my ISP. The VLANs are:

    VLAN1 192.168.40.0 Router interface 192.168.40.1 Interface FastEthernet0
    VLAN10 192.168.10.0 Router interface 192.168.10.1 Interface FastEthernet1
    VLAN20 192.168.20.0
    Router interface 192.168.20.1 Interface FastEthernet2
    VLAN30 192.168.30.0 Router interface 192.168.30.1 Interface FastEthernet3

    I can ping the router interface of any of the VLANs from any other VLAN. For example from VLAN10 I can ping 192.168.20.1 (the router interface of VLAN20). I can ping any external public IP address from any VLAN. But I cannot contact any host from one VLAN to another. For example I can't ping host 192.168.20.2 from VLAN1, 10, or 30.

    I've read I need to make a bridge but as soon as I set one up and tie a VLAN to it, my connection from that VLAN to the Internet dies. I've tried setting up an ACL but once again once I do, my connection to the Internet gets cut the minute I assign it to a VLAN. Maybe I'm not using these correctly.

    I hope some one can point me in the right direction. I have looked at George Ou's solution on TechRepulic but it doesn't help. I've heard SVI could work but I thought I had already set that up. BVI's also seem to cut my connection to the Internet as well.


    Thanks in advance for any advice you can provide.

    Rob


  • #2
    Re: Cisco 871: VLANS won't communicate with each other

    I have configured about 30 - 871W (871 with wireless) routers for home office use.

    The first problem I encountered with the 870 series was the default IOS would not allow me to create more than 1 vlan. So I had to upgrade the IOS to C870-ADVIPSERVICESK9-M. Then I was able to create multile VLANs.

    Another thing I noticed on the 870's is vlans are NOT automatically created when you create a vlan interface or assign a vlan to an switchport. I had to manually create the vlans using global config command "vlan 2, vlan 3, etc..." The way I noticed this problem was using "show ip int brief". VLAN's 2 and 3 did not show up/up. The protocol was down until I created the vlan definition. Then everything started working.

    The only reason I coud see creating a bridged interface is if your are going to bridge both wired and wireless into a single vlan. I do this on the 871W bacause I want both wired and wireless clients to use the same DHCP pool along with the same access-lists. In your case, I would think a simple vlan interface is all that is required.

    I all else fails, consider posting your configuration.

    Comment


    • #3
      Re: Cisco 871: VLANS won't communicate with each other

      Thanks Scowles. Wow, 30 871s. You sound like the guy to talk to.

      I checked the config but the Vlans are defined properly. When I run show ip interface brief I get:

      Vlan1 192.168.40.1 YES NVRAM up up
      Vlan10 192.168.10.1 YES NVRAM up up
      Vlan20 192.168.20.1 YES NVRAM up up
      Vlan30 192.168.30.1 YES NVRAM up up


      I'm sure I'm missing something basic. Here is my config. I've chopped a lot of the unnecessary stuff like hostname, crypto, aaa, etc.

      My ISP has provided me with two ip addresses. In the example I'll post them as 123.123.123.19, 123.123.123.20 with the ISP gateway at 123.123.123.1
      Subnet provided by ISP is 255.255.255.0

      My setup (I've cut out a lot of extraneous info)

      !This is the running config of the router: 192.168.40.1
      !----------------------------------------------------------------------------
      !version 12.4

      dot11 syslog
      no ip source-route
      ip cef
      !
      !
      no ip dhcp use vrf connected
      !
      ip dhcp pool sdm-pool1
      import all
      network 192.168.40.0 255.255.255.248
      dns-server 168.126.63.1
      default-router 192.168.40.1
      domain-name MyDomain.net
      lease 7
      !
      ip dhcp pool InternalLAN
      import all
      network 192.168.10.0 255.255.255.240
      domain-name MyDomain.net
      dns-server 168.126.63.1
      default-router 192.168.10.1
      lease 7
      !
      ip dhcp pool GuestLAN
      import all
      network 192.168.30.0 255.255.255.248
      domain-name MyDomain.net
      dns-server 168.126.63.1
      default-router 192.168.30.1
      !
      ip dhcp pool VideoLAN
      import all
      network 192.168.20.0 255.255.255.248
      domain-name MyDomain.net
      dns-server 168.126.63.1
      default-router 192.168.20.1
      lease 7
      !
      ip dhcp pool VCUnit
      host 192.168.20.4 255.255.255.248
      client-identifier 0100.16d3.3d14.10
      client-name Polycomv7000
      default-router 192.168.20.1
      dns-server 168.126.63.1
      lease infinite
      !
      !
      no ip bootp server
      no ip domain lookup
      ip domain name VCUnit.net
      ip name-server 168.126.63.1
      ip auth-proxy max-nodata-conns 3
      ip admission max-nodata-conns 3
      !
      multilink bundle-name authenticated
      !
      !
      class-map type inspect match-any sdm-cls-insp-traffic
      match protocol cuseeme
      match protocol dns
      match protocol ftp
      match protocol h323
      match protocol https
      match protocol icmp
      match protocol imap
      match protocol pop3
      match protocol netshow
      match protocol shell
      match protocol realmedia
      match protocol rtsp
      match protocol smtp extended
      match protocol sql-net
      match protocol streamworks
      match protocol tftp
      match protocol vdolive
      match protocol tcp
      match protocol udp
      class-map type inspect match-all sdm-insp-traffic
      match class-map sdm-cls-insp-traffic
      class-map type inspect match-any sdm-cls-icmp-access
      match protocol icmp
      match protocol tcp
      match protocol udp
      class-map type inspect match-all sdm-invalid-src
      match access-group 100
      class-map type inspect match-all sdm-icmp-access
      match class-map sdm-cls-icmp-access
      class-map type inspect match-all sdm-protocol-http
      match protocol http
      class-map type inspect match-all sdm-nat-vdolive-1
      match access-group 101
      match protocol vdolive
      !
      !
      policy-map type inspect sdm-permit-icmpreply
      class type inspect sdm-icmp-access
      inspect
      class class-default
      pass
      policy-map type inspect sdm-pol-NATOutsideToInside-1
      class type inspect sdm-nat-vdolive-1
      inspect
      class class-default
      policy-map type inspect sdm-inspect
      class type inspect sdm-invalid-src
      drop log
      class type inspect sdm-insp-traffic
      inspect
      class type inspect sdm-protocol-http
      inspect
      class class-default
      policy-map type inspect sdm-permit
      class class-default
      !
      zone security out-zone
      zone security in-zone
      zone-pair security sdm-zp-self-out source self destination out-zone
      service-policy type inspect sdm-permit-icmpreply
      zone-pair security sdm-zp-out-self source out-zone destination self
      service-policy type inspect sdm-permit
      zone-pair security sdm-zp-in-out source in-zone destination out-zone
      service-policy type inspect sdm-inspect
      zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
      service-policy type inspect sdm-pol-NATOutsideToInside-1
      !
      !
      !
      interface FastEthernet0
      description Maintenance LAN Interface
      duplex full
      speed 100
      !
      interface FastEthernet1
      description Office LAN Interface
      switchport access vlan 10
      duplex full
      speed 100
      !
      interface FastEthernet2
      description Video LAN Interface
      switchport access vlan 20
      switchport trunk native vlan 20
      duplex full
      speed 100
      !
      interface FastEthernet3
      description Guest LAN Interface
      switchport access vlan 30
      !
      interface FastEthernet4
      description WAN Interface
      ip address 218.152.49.19 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat outside
      ip virtual-reassembly
      zone-member security out-zone
      ip route-cache flow
      duplex auto
      speed auto
      !
      interface Vlan1
      description Maintenance VLAN
      ip address 192.168.40.1 255.255.255.248
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat inside
      ip virtual-reassembly
      zone-member security in-zone
      ip route-cache flow
      ip tcp adjust-mss 1452
      !
      interface Vlan10
      description Office VLAN
      ip address 192.168.10.1 255.255.255.240
      ip nat inside
      ip virtual-reassembly
      zone-member security in-zone
      !
      interface Vlan20
      description Video VLAN
      ip address 192.168.20.1 255.255.255.248
      ip nat inside
      ip virtual-reassembly
      zone-member security in-zone
      !
      interface Vlan30
      description Guest VLAN
      ip address 192.168.30.1 255.255.255.248
      ip nat inside
      ip virtual-reassembly
      zone-member security in-zone
      !
      ip forward-protocol nd
      ip route 0.0.0.0 0.0.0.0 123.123.123.1
      !
      !
      ip http server
      ip http access-class 23
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 60 life 86400 requests 10000
      ip nat pool isp_pool 123.123.123.19 123.123.123.20 netmask 255.255.255.0
      ip nat inside source list 1 pool isp_pool overload
      ip nat inside source static 192.168.20.4 123.123.123.20
      !
      logging trap debugging
      access-list 1 remark Internal Networks to Outside 19
      access-list 1 remark SDM_ACL Category=2
      access-list 1 remark Default VLAN Access to Internet
      access-list 1 permit 192.168.40.0 0.0.0.7
      access-list 1 remark Guest VLAN Access to Internet
      access-list 1 permit 192.168.30.0 0.0.0.7
      access-list 1 remark Internal VLAN access to Internet
      access-list 1 permit 192.168.10.0 0.0.0.15
      access-list 1 remark Video VLAN access to Internet
      access-list 1 permit 192.168.20.0 0.0.0.7
      access-list 100 remark SDM_ACL Category=128
      access-list 100 permit ip host 255.255.255.255 any
      access-list 100 permit ip 127.0.0.0 0.255.255.255 any
      access-list 100 permit ip 123.123.123.0 0.0.0.255 any
      no cdp run
      !
      !
      !
      !
      end


      Comment


      • #4
        Re: Cisco 871: VLANS won't communicate with each other

        You are not running any routing protocols.
        Try this:

        (config)#router rip
        (config-router)#rip version 2
        (config-router)#network 192.168.10.0
        (config-router)#network 192.168.20.0
        (config-router)#network 192.168.30.0
        (config-router)#network 192.168.40.0
        CCNA, Network+

        Comment


        • #5
          Re: Cisco 871: VLANS won't communicate with each other

          Originally posted by Daze View Post
          You are not running any routing protocols.
          Try this:

          (config)#router rip
          (config-router)#rip version 2
          (config-router)#network 192.168.10.0
          (config-router)#network 192.168.20.0
          (config-router)#network 192.168.30.0
          (config-router)#network 192.168.40.0
          Okay, I'll give it try and report back. Thanks. I'm a little curious though. The router already stores these networks as static routes. RIP is also required when routing between VLANs on the same combo switch-router (like the 871)?

          Rob

          Comment


          • #6
            Re: Cisco 871: VLANS won't communicate with each other

            Originally posted by Daze View Post
            You are not running any routing protocols.
            Try this:

            (config)#router rip
            (config-router)#rip version 2
            (config-router)#network 192.168.10.0
            (config-router)#network 192.168.20.0
            (config-router)#network 192.168.30.0
            (config-router)#network 192.168.40.0
            Nice try but that didn't work. Since these routes are static I don't believe the router needs to dynamically route them. At least I hope not.

            Comment


            • #7
              Re: Cisco 871: VLANS won't communicate with each other

              Can you post the output of the "sh ip route" command and the "sh int" command from the router?

              Comment


              • #8
                Re: Cisco 871: VLANS won't communicate with each other

                Originally posted by joeqwerty View Post
                Can you post the output of the "sh ip route" command and the "sh int" command from the router?
                I figured it out. I forgot to turn off the individual firewalls of each to the PCs I was testing. That was blocking ping requests. Turn off the firewall on each PC and the router works.

                Comment

                Working...
                X