Question : Problem: Creation of two VLAN's on Cisco 1711

Hey all,

I have slight issue with the creation of two vlan's on a Cisco 1711. A brief history is that I am trying to utilize one
Cisco 1711 (with 4 port switch) to create two vlan's that supports two LAN networks with the same hosts names on
each network. I know, confusing, but I have been tasked with this so now I need to make it happen.

I have created two vlan's. ( Vlan1 & Vlan2) with different subnets, but the problem is when connected, I am not able to
utilize both. Here is the config, and I will comment at the end to see if any of ya all have some ideas.

Current configuration : 3593 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HA-RTR-ROHI
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 XXXXX
!
username XXXX privilege 15 password 0 XXX
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip ids po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key stuff address XX.XX.XX.XX
crypto isakmp key stuff address XX.XX.XX.XX
!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peerXX.XX.XX.XX
set transform-set myset
match address 101
crypto map mymap 20 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set myset
match address 102
!
!
!
interface FastEthernet0
ip address XX.XX.XX.XX 255.255.255.240
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface Vlan2
description 2nd Hawth vlan
ip address 172.16.30.30 255.255.255.240
!
interface Vlan1
description This is a test for HAWTH
ip address 172.16.30.14 255.255.255.240
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
no ip http server
no ip http secure-server
!
!
!
access-list 98 permit XX.XX.XX.XX
access-list 98 permit XX.XX.XX.XX
access-list 98 permit XX.XX.XX.XX
access-list 98 permit 192.168.11.0 0.0.0.255
access-list 98 permit 172.16.30.0 0.0.0.255
access-list 101 permit ip 172.16.30.0 0.0.0.15 192.168.11.0 0.0.0.255
access-list 101 permit ip 172.16.30.16 0.0.0.7 192.168.11.0 0.0.0.255
access-list 102 permit ip 172.16.30.0 0.0.0.15 192.168.10.0 0.0.0.255
access-list 102 permit ip 172.16.30.16 0.0.0.7 192.168.10.0 0.0.0.255
!
!
control-plane
!
banner motd ^C
!
line con 0
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 30 0
password stuff
login local
line vty 5 15
password stuff
login
!
end

OK, so here is my goal. I want to be able to have two networks like I said above, but have them on different subnets. For simplicity purposes, I have four pc's on the 172.16.30.0/28 (.1, .2, .3, .4) & four pc's on 172.16.30.16/28 (.17, .18, .19, .20) networks. I want to be able to use one Cisco 1711, & one 8 port unmanaged switch to support this network.

I have followed this article http://www.cisco.com/en/US/products/hw/routers/ps221/prod_configuration_basics09186a00801a055a.html
by creating the vlan's and then IP'ing them. But, without me configuring one of the switchports on the back of the router as
either switchport access vlan 2 or switchport mode trunk/switchport trunk allowed vlan all; the LAN's are not able to talk to the Cisco. The way I have it configured above, I can be one of the pc's on the 172.16.30.16/28 network and get to the Cisco, but from the other subnet of pc's, I get nothing. No ICMP, no telnet, nothing. Can anyone help me out, or at least point me in the right direction? Also, if I utilize the switchport trunk native vlan (some #) 1 or 2 in my case, I can switch which network has the ability to can access to the Cisco, but I want both to have access, but not access to one another.

Thanks in advance,

Answer : Problem: Creation of two VLAN's on Cisco 1711

>I want both to have access, but not access to one another.
>one 8 port unmanaged switch to support this network
You have two self-cancelling priorities. You can't get where you want to go with what you have.

You can uplink 2 ports from the router to the switch:

Router
1 2 3 4
| | | |
Switch VLAN1 users
| | | | | |
VLAN2 Users + VLAN1 users

You have some inherent issues with plugging both router interfaces into the same unmanged switch.
You also have no separation at Layer 2 and broadcasts will cross vlans no matter what you do.

What I suggest is to get yourself another 5/8 port switch
Router
1 2 3 4
| |
Switch1 Switch2
| | | | | | | |
VLAN2 Users VLAN1 users

Now that you have total Layer 1 and 2 separation between the VLAN's, you will also need to create access-lists on the vlan interfaces to prevent traffic from one subnet to the other at Layer 3

access-list 103 deny ip 172.16.30.30 0.0.0.15 172.16.30.14 0.0.0.15
access-list 103 permit ip 172.16.30.30 0.0.0.15 any
access-list 104 deny ip 172.16.30.14 0.0.0.15 172.16.30.30 0.0.0.15
access-list 104 permit ip 172.16.30.14 0.0.0.15 any

interface vlan1
access-group 104 in
interface vlan2
access-group 103 in

Random Solutions

Problem: Need to configure Guest Internet Access w/ Cisco Aironet 1130AG Access Point.

Problem: WTF's up with my iSCSI network config ???

Problem: Lan disable wireless internet

Problem: Adtran NetVanta vs. Cisco

Problem: APC UPS1500 RM diagnostic problems

Problem: VLANs, questions from a complete beginner...

Problem: Slow VPN workgroup

Problem: Apache 2.0 on Mac OS X

Problem: I have forgotten my password for Microsoft XP Professional.

Problem: Cannot connect to VPN via external IP