| |
[HELP] c1812 layer2 VLANSMy 1812 has the following. This is simplified info.
Fa0 to the ISP - ip nat ouside
Fa1 - no ip
Fa1.1 ip 192.168.1.0/24 ip nat inside encap dot1q 1 native
Fa1.10 ip 10.10.10.0 /24 ip nat inside encap dot1q 10
Fa1.x trunks to a switch
How can I get the eight layer2 interfaces to participate in vlan1 with Fa1.1?
When I assign to Fa2-9 switchport access vlan 1 nothing happens. When I try to assign an IP to vlan1 it complains it overlaps with Fa1.1 -- which it does. I guess I just want to bridge these. |
|
| |
When you say nothing happens... do you mean that when you do a sho run you don't see the output that says switchport access vlan 1
shown under the interface output? Well, you won't see this on the output. Switchport access vlan x where x is anything other than 1 will show up, but as 1 is the default it won't be displayed. This is very common with Cisco gear. On your routers switch interfaces, as well as every other IOS switch out there, all ports are part of VLAN 1 by default. |
|
| |
said by markysharkey:When you say nothing happens... do you mean that when you do a sho run you don't see the output that says
switchport access vlan 1
shown under the interface output? Well, you won't see this on the output. Switchport access vlan x where x is anything other than 1 will show up, but as 1 is the default it won't be displayed. This is very common with Cisco gear. On your routers switch interfaces, as well as every other IOS switch out there, all ports are part of VLAN 1 by default. That's correct. Nothing appears, as you said it wouldn't. So since on Fa1 I am router on sticking it, the Fa1.1 subinterface is my native dot1q vlan 1. I have that trunked to another switch - no drama. Now I need the 8 layer 2 interfaces (Fa2-9) to participate on that subnet as natives as well. So if I'm tracking what you said, Fa2-9 are already native on vlan1 - but apparently that is a different vlan 1 that the Fa1.1 subinterface. How can I add these ports to Fa1.1? Thanks in advance. If it helps... interface FastEthernet0
description WAN-Interface
ip ddns update dyndns
ip ddns update no-ip
ip address dhcp
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CBAC-FW out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet1.1
description LAN-Interface
encapsulation dot1Q 1 native
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
ip access-group 103 out
ip nat inside
ip virtual-reassembly
!
interface FastEthernet1.10
description Voice-Interface
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
|
|
 tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
to dotJake
said by dotJake:How can I get the eight layer2 interfaces to participate in vlan1 with Fa1.1? it'll take some work. i don't believe that the isr support an 'svi' interface. as such - you'll need to run a bvi and perform integrated routing and bridging (irb) » www.infraworld.eu/bridging-irb/is a decent way to get started. i can pull out my cisco 871w for a cleaner example if needed. q. |
|
| |
dotJake
Member
2014-Mar-22 11:32 pm
Thanks tubbynet. If you have a config I would like to see it. I looked at the link you referenced - looks like that might work - cludgy - but whatever.
Maybe I messed up in the beginning and I should have done all routing against vlans instead of .1q subinterfaces? Imma blow this up and see. |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
let me see what i can find.
was onsite at a customer location today for about 12 hours and my little one gave my wife hell while i was gone. i'm working the night shift for now until my wife can relax.
that being said -- irb is a little kludgy looking -- but on big iron like the asr9k, this is how layer-2 is done. there is no concept of vlan/svi pairs as there is on the multilayer switches -- its all tagged subifs, bridge groups, and bvi's. they accomplish the same thing -- but this is the difference between routers and switches.
q. |
|
| |
dotJake
Member
2014-Mar-23 12:44 am
No worries. I really appreciate the tip - that link pointed me in the right direction. It's working now and I just need to work out the other VLANS, Here's the relevant parts that made it happen: interface FastEthernet0
description WAN-Interface
ip ddns update dyndns
ip ddns update no-ip
ip address dhcp
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CBAC-FW out
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
service-policy output SDM-QoS-Policy-1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
!
interface FastEthernet2
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
description $PRODUCTION_VLAN$
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
ip access-group 103 out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
bridge 1 protocol ieee
bridge 1 route ip
|
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
said by dotJake:No worries. I really appreciate the tip - that link pointed me in the right direction. for shits and grins -- is it possible to just make fa1 a trunk using the 'switchport' command, then follow it with the trunk, etc. from there -- you can create the vlan interface and not use the bvi. i'm not sure what is and isn't allowed on those interfaces (i.e. can a "routed" port be a "switched" port). q. |
|
|
| |
Nope. Int Fa1 doesn't offer switchport. On the 1812 Fa0 & Fa1 are layer3.
The ISR path is working well - thanks again... just recreating what feels like 42000 subinterfaces as BVI's.
Chandler, AZ huh? My company used to be HQ'd there. |
|
| |
to dotJake
said by dotJake:How can I get the eight layer2 interfaces to participate in vlan1 with Fa1.1? By default, the 8switchports on an 181x router already ARE in VLAN1 as markeysharkey said. I guess my question is what is it you're trying to do from a design perspective here? Sounds like plain router on a stick... but you also want to use the inbuilt switch on the 1812. Without labbing it up as well, my immediate response would be to set Fa2-9 to "switchport mode trunk" and see if that works. Dumb question, what's your "show vlan-switch" show at this time? Just for shiggles and comparison, here's my own 1811... Fa4 and Fa5 are configured as trunks, but Fa5 does not have a physical connection at this time. R1811#sh vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa4
50 VLAN0050 active Fa2, Fa6
51 VLAN0051 active Fa3, Fa7
52 VLAN0052 active Fa8
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Regards |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
said by HELLFIRE:By default, the 8switchports on an 181x router already ARE in VLAN1 as markeysharkey said. yes -- but per the op -- he wants to have fa1 in the same vlan as well -- sharing the same ip address space as the vlan 1 ports. this is the perfect use case for a bvi (and on asr9k -- its the *only* way you can do it since the asr9k has no concept of an svi or a switchport). the only wildcard was if the fa1 on the 181x can actually dumb down to be a switchport. it can't, apparently. the solution that the op has (with a tagged subif as a member of a bridge group) is the exact solution on an asr9k -- as those ports can't be "switched" either -- they have to be bridged.  q. |
|
| |
dotJake
Member
2014-Mar-23 12:59 pm
It's working but something isn't quite right. Routing is 100% - just slow. Speed tests are ~10mb up and down. In the old config it was 30/10 up/down. Maybe MTU-related? Iremoved MTU-related statements with no change. |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
said by dotJake:It's working but something isn't quite right. are you pegging the cpu? virtual-reassembly can do that. can you run an iperf/jperf test on two hosts inside of vlan1 to see if its software switching something? q. |
|
| |
I can try - might take a bit to iperf test.
My PC direct in fa2 on the 1812 pegs at about the ~10mbt point. Interestingly, my Chromebook on Wifi coming into the 1812 on the fa1.1 subinterface gets full speed. Seems to be the 1812 switch ports. |
|
| dotJake |
Theory blown. Moved the WAP to the 1812 fa6 and full speed. I swear if it's this patch cord..... |
|
| |
to dotJake
said by tubbynet:he wants to have fa1 in the same vlan as well I may have to lab this up myself with a spare 1811 I've kicking around... design-wise, I think I once considered what the OP was doing, but found it kludgy as heck... I could be remembering incorrectly, tho. If you can OP, can you post the FULL config for review, and not just snippets? Regards |
|
| |
said by dotJake:Theory blown. Moved the WAP to the 1812 fa6 and full speed. I swear if it's this patch cord..... Pinche layer 1. I guess that copper expired overnight. |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
said by dotJake:Pinche layer 1. I guess that copper expired overnight. beautiful! great to hear. q. |
|
| tubbynet |
to HELLFIRE
said by HELLFIRE:but found it kludgy as heck... I could
be remembering incorrectly, tho. it seems kludgy or not depending on the time frame when you started kicking cisco gears around. in the old days -- on the multilayer switches (cat 5000s, etc) you had to set up irb instances to make things work on the route-processor (which was different than the switch processor). then the concept of the svi and switchports came to be on the c6k -- and while it accomplished the same thing -- it "felt" more elegant. now that asr9k and crs gears are in the wild -- the old "router with abilities to bridge packets" is back in full swing. if you peruse [c-nsp] there are a ton of configs on asr9k with eompls/vpls/vpws wherein you define bridge-domains, then a bridge group underneath, and define your tagged subifs and use a bvi if needed for routing. it seems wrong to me -- but thats the way of doing it. i've adjusted to it now -- and it seems commonplace now. q. |
|
1 edit |
to HELLFIRE
"working" code. Thanks again Tubbynet for pointing me in the bridge direction. It's ugly code - further enhanced by the SDM-generated CBAC rules in need of severe pruning - but it works.
!
! No configuration change since last restart
!
version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname 1812.office.core
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$N.98$7Tmlszr.lSATOz3oPFKP./
!
no aaa new-model
clock timezone Pacific -7
!
!
!
!
no ip gratuitous-arps
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.175 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.150
!
ip dhcp pool Dell_Laptop
host 192.168.1.120 255.255.255.0
client-identifier 0124.b6fd.218f.d3
!
ip dhcp pool 192.168.1.0
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2
default-router 192.168.1.254
netbios-node-type h-node
domain-name xxxxx.local
lease 0 1
!
ip dhcp pool Win7_WS1
host 192.168.1.110 255.255.255.0
client-identifier 0102.215a.f720.f4
!
ip dhcp pool NAS1
host 192.168.1.105 255.255.255.0
hardware-address 00d0.b80e.6456
!
ip dhcp pool RasPi_1
host 192.168.1.150 255.255.255.0
client-identifier 01b8.27eb.ff10.30
!
ip dhcp pool Camera_1
host 192.168.1.130 255.255.255.0
client-identifier 0100.ea21.635a.0f
!
ip dhcp pool Dell_Laptop_WiFi
host 192.168.1.115 255.255.255.0
client-identifier 014c.eb42.185d.9e
!
ip dhcp pool VMWare_ESXi
host 192.168.1.125 255.255.255.0
client-identifier 0100.237d.9bfb.20
!
ip dhcp pool Arduino_Mega_2560
host 192.168.1.155 255.255.255.0
client-identifier 0100.1036.0025.60
!
!
ip domain name xxxxx.local
ip name-server 4.2.2.2
ip inspect log drop-pkt
ip inspect name CBAC-SIP sip audit-trail on
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp router-traffic
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM sip audit-trail on
ip inspect name SDM_MEDIUM pptp audit-trail on
ip inspect name SDM_MEDIUM http
ip ddns update method dyndns
HTTP
add http://xxxxx::-)xxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=xxxxx.dyndns.org&myip=
remove http://xxxxx::-)xxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=xxxxx.dyndns.org&myip=
interval maximum 28 0 0 0
!
ip ddns update method no-ip
HTTP
add http://jason@xxxxx.com:xxxxx@dynupdate.no-ip.com/nic/update?hostname=xxxxx.no-ip.org&myip=
remove http://jason@xxxxx.com:xxxxx@dynupdate.no-ip.com/nic/update?hostname=xxxxx.no-ip.org&myip=
interval maximum 1 0 0 0
!
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group PPTP
request-dialin
protocol pptp
rotary-group 2
initiate-to ip xxx.xxx.xxx.xxx
!
!
!
username admin password 7 xxxxx
archive
log config
hidekeys
!
!
!
class-map match-any SDM-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any SDM-Signaling-1
match dscp cs3
match dscp af31
class-map match-any SDM-Routing-1
match dscp cs6
class-map match-any SDM-Voice-1
match dscp ef
class-map match-any SDM-Management-1
match dscp cs2
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
priority percent 33
class SDM-Signaling-1
bandwidth percent 5
class SDM-Routing-1
bandwidth percent 5
class SDM-Management-1
bandwidth percent 5
class SDM-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
!
bridge irb
!
!
!
interface FastEthernet0
description $ES_LAN$$FW_OUTSIDE$
ip ddns update dyndns
ip ddns update no-ip
ip address dhcp
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_MEDIUM out
no ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
service-policy output SDM-QoS-Policy-1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
!
interface FastEthernet1.10
encapsulation dot1Q 10
bridge-group 10
!
interface FastEthernet1.20
encapsulation dot1Q 20
bridge-group 20
!
interface FastEthernet1.30
encapsulation dot1Q 30
bridge-group 30
!
interface FastEthernet1.40
encapsulation dot1Q 40
bridge-group 40
!
interface FastEthernet1.50
encapsulation dot1Q 50
bridge-group 50
!
interface FastEthernet1.60
encapsulation dot1Q 60
bridge-group 60
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan10
no ip address
bridge-group 10
!
interface Vlan20
no ip address
bridge-group 20
!
interface Vlan30
no ip address
bridge-group 30
!
interface Vlan40
no ip address
bridge-group 40
!
interface Vlan50
no ip address
bridge-group 50
!
interface Vlan60
no ip address
bridge-group 60
!
interface Dialer2
description "PPTP dialer to xxxxx"
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer in-band
dialer idle-timeout 60
dialer string 1
dialer vpdn
dialer-group 1
no peer neighbor-route
no cdp enable
ppp pfc local forbid
ppp pfc remote reject
ppp encrypt mppe 128
ppp authentication ms-chap-v2 callin
ppp eap refuse
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp chap refuse
ppp ms-chap refuse
!
interface BVI1
description $FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
ip access-group 103 out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI10
description $FW_INSIDE$
ip address 10.1.10.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface BVI20
description $FW_INSIDE$
ip address 10.1.20.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface BVI30
description $FW_INSIDE$
ip address 10.1.30.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface BVI40
description $FW_INSIDE$
ip address 10.1.40.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface BVI50
description $FW_INSIDE$
ip address 10.1.50.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface BVI60
description $FW_INSIDE$
ip address 10.1.60.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 10.33.57.21 255.255.255.255 Dialer2
ip route 10.39.35.0 255.255.255.0 Dialer2
ip route 10.44.16.51 255.255.255.255 Dialer2
ip route 10.44.16.126 255.255.255.255 Dialer2
ip route xxx.xxx.xxx.xxx 255.255.255.255 FastEthernet0
!
!
ip http server
no ip http secure-server
no ip nat service sip tcp port 5060
ip nat inside source static tcp 192.168.1.105 20 interface FastEthernet0 20
ip nat inside source static tcp 192.168.1.105 21 interface FastEthernet0 21
ip nat inside source static tcp 192.168.1.110 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.1.131 8001 interface FastEthernet0 8001
ip nat inside source static tcp 192.168.1.155 2560 interface FastEthernet0 2560
ip nat inside source static tcp 192.168.1.150 314 interface FastEthernet0 314
ip nat inside source route-map xxxxx interface FastEthernet0 overload
ip nat inside source route-map xxxxx interface Dialer2 overload
!
ip access-list standard VTY_Allowed
remark *** List of hosts allowed to telnet/SSH in ***
permit 192.168.1.0 0.0.0.255
!
ip access-list extended xxxxx
remark *** Hosts allowed to reach xxxxx ***
permit ip 192.168.1.0 0.0.0.255 any
permit ip 10.1.0.0 0.0.255.255 host 64.154.41.158 dscp ef log-input
ip access-list extended xxxxx
permit ip 10.1.0.0 0.0.255.255 host 10.44.16.51 log-input
permit ip 192.168.1.0 0.0.0.255 host 10.44.16.51 log-input
permit ip 192.168.1.0 0.0.0.255 host 10.44.16.126 log-input
permit ip 192.168.1.0 0.0.0.255 10.39.35.0 0.0.0.255 log-input
permit ip 192.168.1.0 0.0.0.255 host 10.33.57.21 log-input
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark Auto generated by SDM for NTP (123) 169.229.70.183
access-list 100 permit udp host 169.229.70.183 eq ntp host 192.168.1.254 eq ntp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit gre host 192.168.1.115 any log-input
access-list 100 permit gre host 192.168.1.120 any log-input
access-list 100 deny gre any any log-input
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) 169.229.70.183
access-list 101 permit udp host 169.229.70.183 eq ntp host 10.1.10.1 eq ntp
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 permit udp host 64.154.41.158 any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any any eq 314
access-list 102 permit tcp any any eq 2560
access-list 102 permit tcp any any eq 8001
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit udp host 4.2.2.2 eq domain any
access-list 102 remark Auto generated by SDM for NTP (123) 169.229.70.183
access-list 102 permit udp host 169.229.70.183 eq ntp any eq ntp
access-list 102 permit gre host 208.34.201.15 any
access-list 102 permit gre any any
access-list 102 deny ip 10.1.10.0 0.0.0.255 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit udp any eq bootps any eq bootpc
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any log
access-list 103 permit gre any host 192.168.1.120 log-input
access-list 103 permit gre any host 192.168.1.115 log-input
access-list 103 deny gre any any log-input
access-list 103 permit ip any any log-input
dialer-list 1 protocol ip permit
!
!
!
route-map xxxxx permit 10
match ip address xxxxx
match interface FastEthernet0
!
route-map xxxxx permit 10
match ip address xxxxx
match interface Dialer2
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
bridge 40 protocol ieee
bridge 40 route ip
bridge 50 protocol ieee
bridge 50 route ip
bridge 60 protocol ieee
bridge 60 route ip
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class VTY_Allowed in
password 7 xxxxx
login local
transport input telnet ssh
line vty 5 15
no login
!
ntp clock-period 17180324
ntp update-calendar
ntp server 169.229.70.183 prefer
!
webvpn cef
end
|
|
| |
to dotJake
said by tubbynet:on the multilayer switches (cat 5000s, etc) I'm scared already tubbynet , I mean I like looking at stuff from a historical perspective, but .... yikes!...  Thanks for the config dotJake ... so again, as a question, "what are you trying to do from a design perspective? Fa0 is your WAN interface, and Fa1 is subinterfaces / router on a stick, you have VLAN interfaces on the 1812, but you've no SVIs... what exactly are you trying to do at the end of the day? Again, this is just my 00000010bits -- let Fa0 and Fa1 do what they do best, layer 3 routing, and and Fa 2 - 9 do what they do best, layer 2 switching, and have your VLAN interfaces as SVI / default gateway for the different VLANs you're doing. Regards |
|
| |
dotJake
Member
2014-Mar-27 11:53 am
Hellfire - Here's a 30,000' view. My ISP hands off in the front room. I have a single data run to my lab area where the rest of the world wires back to. That's why I wanted to trunk all of the vlans back to the 1812. A layer 3 switch would have been great, but for the time this is what I have to work with. I was trying to leverage the L2 ports on the 1812 for the media center stuff since wireless isn't always perfect and I didn't want to "waste" a L2 port in case (read: when) I add more things to the media center area. |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
to HELLFIRE
said by HELLFIRE:et Fa0 and Fa1 do what they do best, layer 3 routing,
and and Fa 2 - 9 do what they do best, layer 2 switching, and have your VLAN interfaces
as SVI / default gateway for the different VLANs you're doing. what if you want the same vlans on fa2 - 9 to exist on fa1 as well? ;-P q. |
|
| |
to dotJake
said by dotJake:I was trying to leverage the L2 ports on the 1812 for the media center stuff since wireless isn't always perfect and I didn't want to "waste" a L2 port in case (read: when) I add more things to the media center area. ...and another layer 2 switch for "expansion" isn't in the cards, I'm guessing? Fair enough... those are design questions, and usually defer those to the "whoever wants it in the first place / is paying for it" guy @tubbynet ...then get a bloody switch! That's what! XP I'm all for flexibility, but I also stick to the "don't force fit a 5" square peg into a 2" round hole" rule. Regards |
|
 TomS_Git-r-done
MVM
join:2002-07-19
London, UK |
to dotJake
edit: what on earth, no replies showed up until I posted mine? Seems the topic has already been covered pretty well. said by dotJake:How can I get the eight layer2 interfaces to participate in vlan1 with Fa1.1? Short answer: you cant. Slightly longer answer: Fa0 and Fa1 are routed ports, Fa2-9 are switched ports. They are logically separated within the router. You could probably do it with a bridge-group, but this will likely have a major performance impact on the router as every packet between Fa1 and Fa2-9 will need to be switched through software. There are three options I can think of: 1. Connect a second cable, from your switch in VLAN 1 to something like Fa2, giving you Fa3-9 as switched ports in VLAN1. Maximum 7 extra ports. 2. Connect Fa1 to Fa2 and trunk between them, and Fa3 to your switch and trunk between them as well. Then put Fa4-9 in to VLAN 1 on the router itself. Maximum 6 extra ports. 3. Ditch Fa1 and use something like Fa2 to trunk to the switch, using SVIs on the router (e.g. "interface VlanX" interfaces). Maximum 7 extra ports. Either way youre only going to be able to use a maximum of 7 ports, or you'll have to take a performance hit to software switch between them. |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
said by TomS_:You could probably do it with a bridge-group, but this will likely have a major performance impact on the router as every packet between Fa1 and Fa2-9 will need to be switched through software. how do you figure? hint -- this is on an isr -- everything is done in software ;-P my routed interfaces handle vlan tags -- otherwise i couldn't do tagged subifs. my bvi creates a cef table the same way any svi would. my bridge-group is creating the broadcast separation function of a vlan. i'm looking for the differences. i can't find any. q. |
|
| tubbynet |
to HELLFIRE
said by HELLFIRE:...then get a bloody switch! That's what! XP you mean i need to put a 2950 in front of my multi-million dollar asr9k??! » www.cisco.com/c/en/us/su ··· -00.htmlagain -- move past the fact that bridge-groups/bvi are a kludge. i know it sounds wrong -- but this is how you handle "real routers" and not "switches with a router half-baked on top". q. |
|
TomS_Git-r-done
MVM
join:2002-07-19
London, UK |
to tubbynet
said by tubbynet:everything is done in software Except switching between the switched ports.  |
|
tubbynetreminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ |
said by TomS_:Except switching between the switched ports. on the same vlan ;-P q. |
|
TomS_Git-r-done
MVM
join:2002-07-19
London, UK |
TomS_
MVM
2014-Mar-27 6:23 pm
Yes, but thats all he wanted, from what I gathered. |
|
