VLAN route on a stick

45 pts.
Tags:
Cisco
Cisco 1841
Cisco VLAN
Routers
VLAN
VLAN configuration
Hello Guys I have some concern regarding my VLAN route on a stick, I created 6 VLAN's on Cisco 1841 router in Ethernet port 0/0 with Local IP 192.168.2.x then I created sub interface in the same ethernet port0/0.10, port0/0.11, port0/0.14, port0/0.15 all VLAN's route to my local default gateway 192.168.2.x that can access internet. this VLAN's selected user are allow to have internet access wich they can. But when I add another VLAN 17 same setup I wonder why that this VLAN 17 user's can't browse/surf the internet page cannot be displayed I ping my local default gateway 192.168.2.x also my local dns 192.168.2.x and I make another VLAN 18 same error I get. The big question mark is why my firts four VLAN's 10, 11, 14 & 15 selected user's can browse / surf the net in the same appliance, same setup. any idea is highly appreciated thanks; Boyet

Answer Wiki

Thanks. We'll let you know when a new response is added.

The spec for the 1841 says that it will support 8 VLANs using 802.1q on 12.4T version of IOS, and although this is not a trunk, the limit of 6 is strange.

You don’t normally configure the IP address on the interface, there should be one for each VLAN configured on the sub-interface. Each VLAN should be a different subnet, and then the router provides the routing between them and the rest of the network. Otherwise there usually isn’t any reason to configure different VLANs.

Can you post the version of IOS you are using, and possibly the parts of the config relating to the VLANs? A diagram would also be useful, just a basic one, not huge detail outside the immediate connections to the router.

Then we can get a better idea of exactly what is in the config. Also post why you are doing this solution, so we may be able to propose alternatives.

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • BlankReg
    For the benefit of anyone following this question, here is the config that got posted in a new question, rather than here - BlankReg Hello here's the version of my IOS used and the running config, sorry i can't find the way to attached my simple block diagram Thanks; Boyet AAI#sh ver Cisco IOS Software, 1841 Software (C1841-IPBASEK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 09-Oct-08 21:25 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) AAI uptime is 1 day, 14 hours, 41 minutes System returned to ROM by power-on System image file is "flash:c1841-ipbasek9-mz.124-22.T.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Cisco 1841 (revision 7.0) with 116736K/14336K bytes of memory. Processor board ID FHK12442F9W 2 FastEthernet interfaces DRAM configuration is 64 bits wide with parity disabled. 191K bytes of NVRAM. 31360K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 sh run Building configuration... Current configuration : 5209 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname AAI ! boot-start-marker boot-end-marker ! logging message-counter syslog no logging buffered enable secret 5 $1$O1Ra$Wdc0OrBbH52eoJd8pcs9q1 ! no aaa new-model dot11 syslog ip source-route ! ! ! ip cef ip domain name aai.com.ph ip name-server 192.168.2.30 ip name-server 192.168.2.31 multilink bundle-name authenticated ! ! ! ! ! username airlift privilege 15 secret 5 $1$NmIv$GCiEqnKxb.cN666R7Xz580 archive log config hidekeys ! ! ! ! ! interface FastEthernet0/0 description $ETH-LAN$ ip address 192.168.2.26 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/0.10 description NNR$ETH-LAN$ encapsulation dot1Q 10 ip address 172.17.2.1 255.255.255.0 ip access-group 100 in no ip redirects ! interface FastEthernet0/0.11 description EXPORT encapsulation dot1Q 11 ip address 172.16.3.17 255.255.255.240 ip access-group 103 in ! interface FastEthernet0/0.12 description TRANSPORT encapsulation dot1Q 12 ip address 172.16.3.1 255.255.255.240 ! interface FastEthernet0/0.13 description FWI encapsulation dot1Q 13 ip address 172.16.4.2 255.255.255.0 ip access-group 106 in ! interface FastEthernet0/0.14 description COOP encapsulation dot1Q 14 ip address 172.16.3.34 255.255.255.240 ip access-group 109 in ! interface FastEthernet0/0.15 description BBULK encapsulation dot1Q 15 ip address 172.16.7.1 255.255.255.224 ip access-group 104 in ! interface FastEthernet0/0.16 ! interface FastEthernet0/0.17 description IMPORT encapsulation dot1Q 17 ip address 172.16.7.33 255.255.255.224 ip access-group 108 in interface FastEthernet0/0.18 description DOMISTIC encapsulation dot1Q 18 ip address 172.16.5.1 255.255.255.224 ip access-group 110 in ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Vlan1 no ip address ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.8 ip route 172.16.4.7 255.255.255.255 192.168.2.11 ! ip http server ip http authentication local no ip http secure-server ! ip dns server ! access-list 100 remark NNR access-list 100 deny ip 172.17.2.0 0.0.0.255 172.16.3.0 0.0.0.15 access-list 100 deny ip 172.17.2.0 0.0.0.255 172.16.3.16 0.0.0.15 access-list 100 deny ip 172.17.2.0 0.0.0.255 172.16.3.32 0.0.0.15 access-list 100 deny ip 172.17.2.0 0.0.0.255 172.16.7.0 0.0.0.31 access-list 100 deny ip 172.17.2.0 0.0.0.255 172.16.7.32 0.0.0.31 access-list 100 permit ip 172.17.2.0 0.0.0.255 any access-list 101 permit tcp host 172.16.3.39 any access-list 102 permit tcp host 172.16.3.37 any access-list 103 remark VLAN 11 access-list 103 deny ip 172.16.3.16 0.0.0.15 172.16.3.32 0.0.0.15 access-list 103 deny ip 172.16.3.16 0.0.0.15 172.17.2.0 0.0.0.255 access-list 103 permit ip 172.16.3.16 0.0.0.15 any access-list 104 remark VLAN15 access-list 104 deny ip 172.16.7.0 0.0.0.15 172.17.2.0 0.0.0.255 access-list 104 deny ip 172.16.7.0 0.0.0.15 172.16.3.16 0.0.0.15 access-list 104 deny ip 172.16.7.0 0.0.0.15 172.16.3.32 0.0.0.15 access-list 104 permit ip 172.16.7.0 0.0.0.15 any access-list 105 permit tcp host 172.16.7.8 any access-list 106 remark FWI access-list 106 deny ip 172.16.4.0 0.0.0.255 172.17.2.0 0.0.0.255 access-list 106 deny ip 172.16.4.0 0.0.0.255 172.16.7.0 0.0.0.31 access-list 106 deny ip 172.16.4.0 0.0.0.255 172.16.7.32 0.0.0.31 access-list 106 deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.15 access-list 106 deny ip 172.16.4.0 0.0.0.255 172.16.3.16 0.0.0.15 access-list 106 deny ip 172.16.4.0 0.0.0.255 172.16.3.32 0.0.0.15 access-list 106 permit ip 172.16.4.0 0.0.0.255 any access-list 108 remark IMPORT access-list 108 deny ip 172.16.7.32 0.0.0.31 172.16.7.0 0.0.0.31 access-list 108 deny ip 172.16.7.32 0.0.0.31 172.16.3.0 0.0.0.15 access-list 108 deny ip 172.16.7.32 0.0.0.31 172.16.3.32 0.0.0.15 access-list 108 deny ip 172.16.7.32 0.0.0.31 172.17.2.0 0.0.0.255 access-list 108 permit ip 172.16.7.32 0.0.0.31 any access-list 109 remark COOP access-list 109 deny ip 172.16.3.32 0.0.0.15 172.17.2.0 0.0.0.255 access-list 109 deny ip 172.16.3.32 0.0.0.15 172.16.3.0 0.0.0.15 access-list 109 deny ip 172.16.3.32 0.0.0.15 172.16.3.16 0.0.0.15 access-list 109 deny ip 172.16.3.32 0.0.0.15 172.16.7.0 0.0.0.31 access-list 109 deny ip 172.16.3.32 0.0.0.15 172.16.7.32 0.0.0.31 access-list 109 permit ip 172.16.3.32 0.0.0.15 any access-list 110 remark DOMISTIC access-list 110 deny ip 172.16.5.0 0.0.0.31 172.16.3.0 0.0.0.15 access-list 110 deny ip 172.16.5.0 0.0.0.31 172.16.3.16 0.0.0.15 access-list 110 deny ip 172.16.5.0 0.0.0.31 172.16.3.32 0.0.0.15 access-list 110 deny ip 172.16.5.0 0.0.0.31 172.17.2.0 0.0.0.255 access-list 110 deny ip 172.16.5.0 0.0.0.31 172.16.7.0 0.0.0.31 access-list 110 deny ip 172.16.5.0 0.0.0.31 172.16.7.32 0.0.0.31 access-list 110 permit ip 172.16.5.0 0.0.0.31 any ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 login local transport input telnet transport output telnet ! scheduler allocate 20000 1000 end AAI#
    12,325 pointsBadges:
    report
  • BlankReg
    Hi Boyet, I have had a quick look (and I mean quick so I may have missed the obvious !), and as you can see I have moved the config here to make it easier to follow. First, lets confirm if we are looking at a max VLAN issue, or some connectivity issue. Try removing the config for the first two VLANs, with a 'no interface FastEthernet0/0.10' and a 'no interface FastEthernet0/0.11' commands. Reboot, as some of the sub-interface config sticks, and a reboot will make sure it is all gone. Then see if the VLANs 17 and 18 work. If they do, then you have hit an issue with the maximum number of VLANs. I presume that this router is connected to a switch. Well then you can use the other interfaces on this router, and connect them each to a port on the switch that is in a vlan not on the trunk, and route in a more conventional way. If they still do not work, then maybe there is config on the gateway that is not NATing these, so they cannot get out on the Internet. If I read your original post again, I think you say that VLAN 17 and 18 can ping the gateway, if that is correct then the routing and config on this router would seem to be OK, and I think it probably is the gateway. Anyway, that is something for you to work on. Let us know what the results are (and post them here !). Good-Luck
    12,325 pointsBadges:
    report
  • BlankReg
    Moving the reply to here - Boyet, please use the "Discuss This Answer" button to reply, and not open a new question each time. Then all of the discussion is kept in the same place, and will be much easier to follow. Hi I mean I'm talking some connectivity issue, sorry I forgot to mention this in my previous message, I keep wondering in my VLAN 17 & VLAN 18 that if I use the public IP (203.11.23.x ) of my local DNS instead of (192.168.2.x) the user's PC they can do surfing/browsing on the net, but if I change back to (192.168.2.x) which my other VLAN local DNS it doesn't do surfing url pages cannot be display, but VLAN 10, 11 ,14 & 15 user's use this (192.168.2.x ) DNS they can do browsing, any idea? I can't figure out if what is the cause. by the way I haven't yet do try removing VLAN 10 & 11 co'z it will humper the operation of our two department. thanks; Boyet
    12,325 pointsBadges:
    report
  • BlankReg
    Boyet, please read my previous comment, where I have moved your reply to here. Use the Discuss button, not open a new question each time. This information gives a completely different light on the problem. This looks more like the local DNS does not have a route back to the subnets used on VLAN 17 and 18, or there is some other access control blocking this. Check the config on the DNS. Do a 'route print' command, and check that there are routes to THIS router for the subnets on these VLANs, or a default route to this router, or a route to the 172.16.7.0/24 and 172.16.5.0/24 networks. I suspect it has none of these, just a defualt route to 192.168.2.8 which I think is your Internet router. Check that this router has routes to the VLAN 17 and 18 subnets.Also, if there is access control (ACL) , that these are not blocking the traffic from the DNS to the subnets for VLAN 17 and 18. This is where I suspect the real problem lies. If it is not immediately obvious, try removing the ACL config from all interfaces on that router, and on this one, just temporarily, and then test if the DNS lookup works. Post the results back here, using the Add to Discussion button, and then we can look at it further if it is still a problem. Regards, Blankreg
    12,325 pointsBadges:
    report
  • Bsm1220
    Hello blankreg, Sorry for late reply I just came back from vacation, by the way I'll already do what you had advice in your previous message, I totally remove VLAN 10 & VLAN 11 save config and reboot the router box then conduct a series of test to my VLAN 17 & VLAN 18 user work station but still wont resolve DNS using local IP/ private IP of my DNS box. so I make another simulation by creating VLAN 9 wich lower VLAN ID then do the same proceedure but still failed during the process I'm feel weird. The big question on my mind why my existing VLAN 10, 11,14 & 15 user work station can surf browse the internet using my local IP/ private IP DNS while the additional VLAN 17, 18 & 9 can't with the same configuration. I think I need to search more and experiment regarding this matter. Thanks Blankreg for your time and Help. Regards; Boyet
    45 pointsBadges:
    report
  • BlankReg
    Hi Boyet, No problem with the help, it is nice to try and help, and very rewarding when we find the cause of the problem. Did you see my previous reply ? If VLAN 17 & 18 work OK when you use a DNS on the Internet, then routing here is not the issue. Can you PING the internal DNS server from these VLANs ? Can you PING the IP address of the router in the same subnet as the DNS. If the first works, then look at the config of the DNS to make sure it allows the VLAN 17 & 18 subnets to use it for lookups. If that doesn't work, but the router PING does, then it is routing on the DNS server to the VLAN 17 & 18 subnets. IF none of these work, then there is internal routes missing on the DNS router, or there are access lists somewhere preventing this. Try removing all the access lists, temporarily, from all the interfaces, and repeat the tests. Check other routers and do the same there. If it all starts working then you have found the culprit, and need to check each one to find the line that is blocking this. Remember, all access-lists have a deny ip any any at the end. That should keep you looking for a while ;-) Post back here with the results. We will crack this one, if it kills me ! Regards, Reg
    12,325 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following