Questions

Cisco 881 config help

Tags:
+
0 Votes
Locked

Cisco 881 config help

phtechinc
I am trying to configure a Cisco 881 router to have multiple vlans and share the internet connection.

I'm a noob with this stuff and i'm stuck.
this is what i have so far.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
!
!
ip source-route
ip dhcp excluded-address 192.168.9.1
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.201 192.168.10.254
ip dhcp excluded-address 192.168.11.1 192.168.11.99
ip dhcp excluded-address 192.168.11.201 192.168.11.254
ip dhcp excluded-address 192.168.12.1 192.168.12.99
ip dhcp excluded-address 192.168.12.201 192.168.12.254
!
ip dhcp pool vlan2
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.9.1
!
ip dhcp pool vlan3
import all
network 192.168.11.0 255.255.255.0
default-router 192.168.9.1
!
ip dhcp pool vlan4
import all
network 192.168.12.0 255.255.255.0
default-router 192.168.9.1
!
!
ip cef
!
!
!
!
username name privilege 15 secret 5 $1$P4qP$h1hBpRrCmd2ZfOk/g9/yX0
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
description Blank LAN
!
interface FastEthernet1
description Lawson LAN
switchport access vlan 2
!
interface FastEthernet2
description Ivey LAN
switchport access vlan 3
!
interface FastEthernet3
description Katz LAN
switchport access vlan 4
!
interface FastEthernet4
description WAN
ip address 192.168.9.1 255.255.255.0
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
ip address 192.168.11.1 255.255.255.0
!
interface Vlan4
ip address 192.168.12.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
banner login ^CThis is a secure system. Authorized Personnel Only!^C
!
line con 0
password console
logging synchronous
login
no modem enable
line aux 0
password backdoor
login
line vty 0 4
password telnet
login
!
scheduler max-task-time 5000
end
  • +
    0 Votes
    tecmjl1981

    You have a good configuration down so far, but you are missing a few things.

    1) The default gateways on your DHCP scope should be the IP Addresses of the VLAN they belong to, so below is how it should be configured
    ip dhcp pool vlan2
    import all
    network 192.168.10.0 255.255.255.0
    default-router 192.168.10.1
    !
    ip dhcp pool vlan3
    import all
    network 192.168.11.0 255.255.255.0
    default-router 192.168.11.1
    !
    ip dhcp pool vlan4
    import all
    network 192.168.12.0 255.255.255.0
    default-router 192.168.12.1

    Now you also need a nat rule, here is what I suggest

    First - Create the ACL's
    Access-list 1 permit 192.168.10.0 0.0.0.255
    access-list 1 permit 192.168.11.0 0.0.0.255
    access-list 1 permit 192.168.12.0 0.0.0.255

    Second - Apply the ACLs to the NAT rule
    ip nat inside source list 1 FastEthernet4 overload

    Third - Tell the router which interfaces are
    IP NAT INSIDE (all VLANS)
    and
    IP NAT OUTSIDE (FastEthernet4)

    Finally, you need a route to the outside (gateway of last resort)
    that would be (depending on if your outside IP is given out via DHCP)
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    OR
    ip route 0.0.0.0 0.0.0.0 DHCP

    If you have any further questions feel free to message me!

    Thanks,
    MIke

    +
    0 Votes
    phtechinc

    Thank you for you insight.
    I've add the configurations you have suggested. I am getting "% Incomplete command." on the third step about adding IP NAT INSIDE (all Vlans) and IP NAT OUTSIDE (fastethernet4).
    Could you explain. I've tried the ? approach to figure it out myself, but I'm stuck again.
    Thanks

    +
    0 Votes
    phtechinc

    @ tecmj198
    Never mind. I got the configurations to work through step 3. I'm not sure about the 4th.
    The fa04(wan) connects to the cable modem. I'm assuming its dhcp, but how can i be sure.
    Can i use both configurations to get it to work.
    Thanks

    +
    0 Votes
    tecmjl1981

    I use my 881W through my cable modem. You have to tell int Fa4 that he is getting an address through DHCP. THat command under Fa0/4 is
    ip address DHCP
    Then you can use either IP route statement. I used the following;
    ip route 0.0.0.0 0.0.0.0 DHCP

    Also, one mistake that I made, make sure in global config you type IP DOMAIN LOOKUP (i forget if there is a - between domain and lookup, but IP D? will help you out.

    Let me konw how it works out!

    +
    0 Votes
    tecmjl1981

    You might want to start Cisco Configuration Professional and see about setting up a firewall as well. The GUI will walk you through everything you need.

    and I would change your VTY and CON passwords, as we all saw them :)

    +
    0 Votes
    phtechinc

    Thank you again for the assist.
    I will try to get that config running right now.

    As for Cisco Configuration Professional, I?ve tried it numerous times, never could get it to discover the device. Maybe I was missing something like the correct ip/hostname.. or username & passwords.

    +
    0 Votes
    tecmjl1981

    You are most welcome!

    all you are missing is the following lines you need to add in global config

    IP HTTP SERVER
    IP HTTP AUTHENTICATION LOCAL

    The first command tells it to beable accept HTTP messages and the second, tells the authentication to go to the local database (which you have a user created already).

    Incase you dont know, the user(s) who will be accessing CCP or SDM need to have a priv level of 15, which your user account has, if it needed it this is the command you put into global config

    username <name> priv 15 secret <password>

    If you need any further help please dont hesitate to ask.

    +
    0 Votes
    phtechinc

    Everything is working; vlans are giving out address, internet access. Thanks tecmjl

    one thing i may have forgot to explain in detail is that i was hoping to keep the networks (vlans, IPs) separate from each other.

    i'm assuming this can be done with access list. I'm just not understanding how its done. At the moment, pings are getting through to each network.

    Any help would be appreciative.

    +
    0 Votes
    tecmjl1981

    Yes you can do it with ACLs. If you understand how ACLs work, then blocking access shouldnt be a problem. You can do it by network or by host.

    If you want help, let me know what you are looking to do and I will help you out.

    Mike

    +
    0 Votes
    phtechinc

    I would like to limit access from each network (or vlans). so vlan1 should not be able to access vlan 2 and vlan 3... by access i mean ping... or i may not be understanding how this all works.
    an so on, vlan 2 should not have access to vlan 1 or vlan 3. and vlan 3 should not have access to vlan 1 or vlan 2.

    example would be to keep each network visible to only that network ip .10 or .11 or .12

    i've tried creating access-lists to permit then deny others, but didn't work. I even upgraded access-list to 101 but still didn't work. And now also, i can't get out to the internet..

    Thanks so much for your input.

    +
    0 Votes
    tecmjl1981

    Can you elaborate more?

    you only want to block pings or all interVLAN access?

    +
    0 Votes
    phtechinc

    I want to block all traffic from each vlan network. example: i have two workstations connected to the router on different fastethernet ports (vlans/networks) .10.100 & .12.100

    If I share a folder on .12.100 workstation. I do no want .10.100 network to get access to this folder (or ping reply or any other communication...) by using the run box and typing \\192.168.12.100

    the ultimate goal is to have three separate networks running through this router without communication to the others

    +
    0 Votes
    desi

    WE have a client with an 881 and it does something we are not used to seeing. The router rejects all public traffic from Monster.com and its supported sites such as usajobs.gov. All other port 80 web site traffic is processed normally.

    Not sure what to show, but we do have the entire script which is probably not necessary. What happens is that it sees the site but states that this site requires a password. The site does not require passwords or any other log in information to access avaialble jobs.

    +
    0 Votes
    jamblaster

    I used this walkthrough and my CCNA notes to configure my 881 to work with a Trendnet DSL router, but now I have switched ISP's and I need to get it to work with a pppoe connection and a Dlink DSL modem. None of the online guides have helped me so far because the 881 router is missing a pppoe option in the vpdn-group configuration option. Any help would be great.

  • +
    0 Votes
    tecmjl1981

    You have a good configuration down so far, but you are missing a few things.

    1) The default gateways on your DHCP scope should be the IP Addresses of the VLAN they belong to, so below is how it should be configured
    ip dhcp pool vlan2
    import all
    network 192.168.10.0 255.255.255.0
    default-router 192.168.10.1
    !
    ip dhcp pool vlan3
    import all
    network 192.168.11.0 255.255.255.0
    default-router 192.168.11.1
    !
    ip dhcp pool vlan4
    import all
    network 192.168.12.0 255.255.255.0
    default-router 192.168.12.1

    Now you also need a nat rule, here is what I suggest

    First - Create the ACL's
    Access-list 1 permit 192.168.10.0 0.0.0.255
    access-list 1 permit 192.168.11.0 0.0.0.255
    access-list 1 permit 192.168.12.0 0.0.0.255

    Second - Apply the ACLs to the NAT rule
    ip nat inside source list 1 FastEthernet4 overload

    Third - Tell the router which interfaces are
    IP NAT INSIDE (all VLANS)
    and
    IP NAT OUTSIDE (FastEthernet4)

    Finally, you need a route to the outside (gateway of last resort)
    that would be (depending on if your outside IP is given out via DHCP)
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    OR
    ip route 0.0.0.0 0.0.0.0 DHCP

    If you have any further questions feel free to message me!

    Thanks,
    MIke

    +
    0 Votes
    phtechinc

    Thank you for you insight.
    I've add the configurations you have suggested. I am getting "% Incomplete command." on the third step about adding IP NAT INSIDE (all Vlans) and IP NAT OUTSIDE (fastethernet4).
    Could you explain. I've tried the ? approach to figure it out myself, but I'm stuck again.
    Thanks

    +
    0 Votes
    phtechinc

    @ tecmj198
    Never mind. I got the configurations to work through step 3. I'm not sure about the 4th.
    The fa04(wan) connects to the cable modem. I'm assuming its dhcp, but how can i be sure.
    Can i use both configurations to get it to work.
    Thanks

    +
    0 Votes
    tecmjl1981

    I use my 881W through my cable modem. You have to tell int Fa4 that he is getting an address through DHCP. THat command under Fa0/4 is
    ip address DHCP
    Then you can use either IP route statement. I used the following;
    ip route 0.0.0.0 0.0.0.0 DHCP

    Also, one mistake that I made, make sure in global config you type IP DOMAIN LOOKUP (i forget if there is a - between domain and lookup, but IP D? will help you out.

    Let me konw how it works out!

    +
    0 Votes
    tecmjl1981

    You might want to start Cisco Configuration Professional and see about setting up a firewall as well. The GUI will walk you through everything you need.

    and I would change your VTY and CON passwords, as we all saw them :)

    +
    0 Votes
    phtechinc

    Thank you again for the assist.
    I will try to get that config running right now.

    As for Cisco Configuration Professional, I?ve tried it numerous times, never could get it to discover the device. Maybe I was missing something like the correct ip/hostname.. or username & passwords.

    +
    0 Votes
    tecmjl1981

    You are most welcome!

    all you are missing is the following lines you need to add in global config

    IP HTTP SERVER
    IP HTTP AUTHENTICATION LOCAL

    The first command tells it to beable accept HTTP messages and the second, tells the authentication to go to the local database (which you have a user created already).

    Incase you dont know, the user(s) who will be accessing CCP or SDM need to have a priv level of 15, which your user account has, if it needed it this is the command you put into global config

    username <name> priv 15 secret <password>

    If you need any further help please dont hesitate to ask.

    +
    0 Votes
    phtechinc

    Everything is working; vlans are giving out address, internet access. Thanks tecmjl

    one thing i may have forgot to explain in detail is that i was hoping to keep the networks (vlans, IPs) separate from each other.

    i'm assuming this can be done with access list. I'm just not understanding how its done. At the moment, pings are getting through to each network.

    Any help would be appreciative.

    +
    0 Votes
    tecmjl1981

    Yes you can do it with ACLs. If you understand how ACLs work, then blocking access shouldnt be a problem. You can do it by network or by host.

    If you want help, let me know what you are looking to do and I will help you out.

    Mike

    +
    0 Votes
    phtechinc

    I would like to limit access from each network (or vlans). so vlan1 should not be able to access vlan 2 and vlan 3... by access i mean ping... or i may not be understanding how this all works.
    an so on, vlan 2 should not have access to vlan 1 or vlan 3. and vlan 3 should not have access to vlan 1 or vlan 2.

    example would be to keep each network visible to only that network ip .10 or .11 or .12

    i've tried creating access-lists to permit then deny others, but didn't work. I even upgraded access-list to 101 but still didn't work. And now also, i can't get out to the internet..

    Thanks so much for your input.

    +
    0 Votes
    tecmjl1981

    Can you elaborate more?

    you only want to block pings or all interVLAN access?

    +
    0 Votes
    phtechinc

    I want to block all traffic from each vlan network. example: i have two workstations connected to the router on different fastethernet ports (vlans/networks) .10.100 & .12.100

    If I share a folder on .12.100 workstation. I do no want .10.100 network to get access to this folder (or ping reply or any other communication...) by using the run box and typing \\192.168.12.100

    the ultimate goal is to have three separate networks running through this router without communication to the others

    +
    0 Votes
    desi

    WE have a client with an 881 and it does something we are not used to seeing. The router rejects all public traffic from Monster.com and its supported sites such as usajobs.gov. All other port 80 web site traffic is processed normally.

    Not sure what to show, but we do have the entire script which is probably not necessary. What happens is that it sees the site but states that this site requires a password. The site does not require passwords or any other log in information to access avaialble jobs.

    +
    0 Votes
    jamblaster

    I used this walkthrough and my CCNA notes to configure my 881 to work with a Trendnet DSL router, but now I have switched ISP's and I need to get it to work with a pppoe connection and a Dlink DSL modem. None of the online guides have helped me so far because the 881 router is missing a pppoe option in the vpdn-group configuration option. Any help would be great.