Mundy

IT Knowledge Base

User Tools

Site Tools


Sidebar

Contact me at dan@mundy.co for any feedback or suggestions.


My other sites:

Search all my sites:

vlans_in_cisco_routers

VLANs in Cisco Routers

  • If you have a different interface for each VLAN, then you just need to set the IP addressees for each interface, and it'll route
  • When you have a single interface attached to a trunk port of a switch you need “Router on a stick

VLANs on the switch of a Cisco 877

Here's how to configure a Cisco 877 with a second VLAN for guest access. The guests should be allowed access to the Internet but not the private LAN; however, we have the option to open up some resources on the private LAN which they *can* access.

Note: You'll need the Advanced IP Services firmware for this. The Advanced Security firmware only allows a single VLAN.

For this example we'll assume the private LAN is 192.168.1.0 attached to fa0 and the guests are 192.168.2.0 on fa1. Remember that each VLAN must be on a different subnet.

First, check if there are any existing VLANs:

show vlan-switch brief

Now create a new VLAN:

conf t
vlan 2
  name Guests VLAN
int fa1
  no shut
  switchport access vlan 2
  ip address 192.168.2.254 255.255.255.0
ip access-list extended nat-candidates
  permit ip 192.168.2.0 0.0.0.255 any

We've just put the two switchports on separate VLANs. The PCs on the guest VLAN can access the internet, which is good, but they can also access any device on the private VLAN, which is bad.

We can fix it by creating an ACL for the guest VLAN. The following ACL denies all IP traffic from the guest VLAN to the private VLAN:

ip access-list extended out-from-vlan2
  deny ip any 192.168.1.0 0.0.0.255
  permit ip any any
int vlan2
  ip access-group out-from-vlan2 in

Now if you want to allow access from the guest VLAN to a single IP address on your private VLAN (for example 192.168.1.10) you could add another line to your ACL, above the deny:

ip access-list extended out-from-vlan2
  5 permit ip any host 192.168.1.10

VLANs for Phones and Data on the Same Switchport

Source: Sample configuration for Voice and Data deployment on a Switch | LAN, Switching and Routing | Cisco Support Community

Creating VLAN's

Voice VLAN

Switch#conf t
Switch(config)#vlan <VLAN ID>
Switch(config-vlan)#name Voice - description of the VLAN

Similarly for the Data VLAN

Creating VLAN interfaces (SVI's) and assigning IP address to them:

Switch#conf t
Switch(config)#interface vlan <VLAN ID>
Switch(config-if)#ip address <X.X.X.X> <X.X.X.X> - IP address Subnet Mask
(The ip address should be one of the useable IP addresses of the phone or data subnet)

Similarly for the Data VLAN

Interface configuration - Data/Voice

Switch#conf t
Switch(config)#interface GigabitEthernet <interface ID>
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk native vlan <VLAN ID> - Data VLAN
Switch(config-if)#switchport access vlan <VLAN ID> - Voice VLAN

OR

Switch#conf t
Switch(config)#interface GigabitEthernet <interface ID>
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode access
Switch(config-if)#switchport voice vlan <Voice VLAN ID>
Switch(config-if)#switchport access vlan <VLAN ID>

* With newer IOS it is not required that a switchport connecting a phone piggybacking a PC to be configured as a trunk specifically. Please see the secondary configuration above.
vlans_in_cisco_routers.txt · Last modified: 2018/04/09 09:56 (external edit)