Cisco Lab Assembly (don't get too excited)

Blitzrommel

2[H]4U
Joined
Sep 26, 2001
Messages
2,659
So I've mentioned I'm playing around with some older Cisco hardware; putting it together now.



(Thanks Cisco Network Assistant!)

This is a mini lab connected to my network. My goal here was to segment those two switches to their own networks, most likely done with VLANs. My test PCs would be on the #1 switch, and the phones would be on the #2 switch switch. The two switches connect to my 1760 router via a WIC-4ESW card. I cannot give any of the interfaces an IP since it's only layer 2 connectivity (or so my router says when I tried), but you can kind of see what I was trying to accomplish. The 1760's vlan1 is set to 172.16.1.254/24 at the moment (and obviously, fa0/0 which is connected to my 2Wire directly, is 172.16.0.1). I just want the 1760 to route traffic between the "three" networks I had wanted to set up.

My "live" network is basically a 2Wire 3801HGV (ugh) on AT&T U-Verse. My grand plan is to use the 1760's CallManager Express to set up a little VoIP system throughout the house. I would use the 1760's DHCP server to make phone configuration easier, and I need to prevent the 1760 from listening to DHCP requests from devices connected to my 2Wire. I'd imagine this would require ACL usage.

Does any of this make sense as I explained it? :) Are there better ideas of implementing this? I'm all ears. This is a lab and purely for self-education (though having a working phone system would be neat. I have a SIP trunk I'd love to take advantage of).
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,161
You can create multiple VLANs on the router, no? Then just assign the specific ports to the VLAN.
 

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,715
If you don't want leases from your 2WIRE connection to show up for your IP phones, you should move them onto another VLAN. (172.16.2.x) Then you can setup your 1760 to have a DHCP server on 172.16.2.1 and be the gateway for the subnet. It would end up being really messy to try to filter DHCP from 2 ports for the same network so that DHCP from 2WIRE on fa0/0 doesn't make it to port fa0/3, but also have the 1760 DHCP server setup on fa0/3 and not have that go out port fa0/0 (Which it would want to if they are on the same network)
 

Blitzrommel

2[H]4U
Joined
Sep 26, 2001
Messages
2,659
You can create multiple VLANs on the router, no? Then just assign the specific ports to the VLAN.

You seem to get what I was trying to accomplish. Yeah, sounds like that's what I'll do. This'd be my very first step.

If you don't want leases from your 2WIRE connection to show up for your IP phones, you should move them onto another VLAN. (172.16.2.x) Then you can setup your 1760 to have a DHCP server on 172.16.2.1 and be the gateway for the subnet. It would end up being really messy to try to filter DHCP from 2 ports for the same network so that DHCP from 2WIRE on fa0/0 doesn't make it to port fa0/3, but also have the 1760 DHCP server setup on fa0/3 and not have that go out port fa0/0 (Which it would want to if they are on the same network)

Right, I want the 2wire's DHCP to only serve hosts directly connected to it, nothing beyond the 1760. But in order for that to happen, I'd have to set up DHCP relay anyway, right? I'd imagine my bigger concern should be how to keep hosts on the 2Wire from not getting IPs from the 1760. Again, VLAN, right? :)

This made me think, perhaps I need to rethink my IP scheme. But I was thinking devices on the 2Wire network would be 172.16.0.0/24, and the lab's "internal" network would be 172.16.1.0/24. (By the way, that phone is currently connected to my 1760 directly; I intend to move it switch 2950-2). I was then thinking devices on 2950-1 would be on the network 172.16.2.0/24 and devices on 2950-2 would be on network 172.16.3.0/24. Or something -- it's late, I should be getting to bed. lol

My gut's saying just leave the IP scheme as-is and just let VLANs do its job.
 

bmh.01

Gawd
Joined
Mar 28, 2002
Messages
610
Right, I want the 2wire's DHCP to only serve hosts directly connected to it, nothing beyond the 1760. But in order for that to happen, I'd have to set up DHCP relay anyway, right? I'd imagine my bigger concern should be how to keep hosts on the 2Wire from not getting IPs from the 1760. Again, VLAN, right? :)

No, you'd setup DHCP relay to achieve exactly the opposite of what you want. DHCP sends a subnet broadcast REQUEST for the necessary information, being a subnet broadcast it will only be answered by a device on the same subnet as the device requesting an address. DHCP relay is used to pass that request on with some extra information so the DHCP server (on another subnet) knows which pool to allocate an IP from then return the OFFER to the original client.

You need to setup a DHCP server on the 1760 but only the downstream ports Fa0/1 and Fa0/2 with their specific subnets and lease ranges. Assuming you've connected Fa0/0 to the 2wire network you leave this out and the 1760 will ignore any requests it sees on that port.

You'll have to add some static routes to the 2wire as well to be able to get to the two other subnets on the 1760 from the 2wire network if you don't want to have to add them to every device that needs access. If you want to be able to do that this is.
 

Blitzrommel

2[H]4U
Joined
Sep 26, 2001
Messages
2,659
That's what I mean. I'd have to set up DHCP relay if I actually wanted requests to go beyond the 1760.

And yeah, no, you can't set static routes on the 2Wire. AT&T's RGs are very gimped devices and if it weren't for the outstanding reliability of our U-Verse service, I'd have some other provider.
 

bmh.01

Gawd
Joined
Mar 28, 2002
Messages
610
Now I read it again I can see how you meant it now. Sounds like you're on the right track then.

Thats sucks with the lack of static routes, i'm in the UK my only experience with 2wire products are where i've used them on bt's buisness adsl lines and they were still pretty well featured even if the quality was a little suspect. Shame but guess you'll have to manually add them on the devices that need access.
 

Blitzrommel

2[H]4U
Joined
Sep 26, 2001
Messages
2,659
That mean I'd have to add static route entries on the 1760 only then, right? After all, that'd be the default gateway for everything behind it. The problem is how would packets know how to get back behind the 1760 if I can't set a static route on the 2wire? (I know sending out wouldn't be a problem).
 

bmh.01

Gawd
Joined
Mar 28, 2002
Messages
610
No you wouldn't need to do anything on the 1760 as it has an interface on the 172.16.0 subnet so knows how to get there. The problem as you say is that the 2wire won't know how to get to 172.16.1 and 172.16.2, thats where you'd specify static routes of 172.16.1.0/24 and 172.16.2.0/24 pointing to the ip address of the 1760 on the 172.16.0 subnet.
 

Blitzrommel

2[H]4U
Joined
Sep 26, 2001
Messages
2,659
Ah, yeah, right.

Well, I set Fa0/0 to DHCP now, so that my 2Wire can give it a public IP (Part of the "DMZ Plus" mode now). It can now get out to the internet, and nothing on the 2Wire network has been affected. Game on!

Now I best lock the thing down.
 

Blitzrommel

2[H]4U
Joined
Sep 26, 2001
Messages
2,659
I'm resurrecting this topic because I seem to be missing something very simple routing-related.



Things to note:

- 2Wire set to place Cisco 1760 in DMZ+, forwarding all traffic by default to it and therefore giving it its external IP (I assume via 1-to-1 NAT?)
- 2Wire and Cisco 1760 both have active DHCP servers.
- There is a 4-port Fast Ethernet card in the Cisco 1760, which both 2950 switches are directly connected to.
- 2Wire and any client connected directly to it (via Ethernet or WiFi) can ping the Cisco 1760's Fa0/0 interface, but not its Vlan1 interface.
- Cisco 1760 can ping anything on the network, as well as on the Internet.
- Nothing on the 2950's or anything connected to them can ping beyond the Vlan1 interface of the Cisco 1760.

This seems to be a simple matter of routing; everything's getting hung up at the 1760. I want WiFi clients connected to the 2Wire to be able to reach devices on the Cisco network, and vice versa. I'll worry about ACLs and the such later. What questions should I be asking myself to resolve this problem? I didn't think I needed to create a static route since everything's directly connected to the 1760.
 

serpretetsky

[H]ard|Gawd
Joined
Dec 24, 2008
Messages
1,792
trace the data every step of the way.

1) You have a device connected to your 2wire initiate a ping to your vlan1
2) Your device recognizes that the ip address it is attempting to ping in on a different network
3) Your device sends the packet to its default gateway (your 2wire).
4) Your 2wire recieves the packet destined to vlan1, it has no routing rules to send the packet to vlan1 (since you said you can't setup static routing)
5) Your 2wire either drops the packet (because it also happens to be a private ip address range, which might not be routed) or it routes the packet out its default route (to your ISP, who will probably drop the packet immediately when they see its a private ip)

without doing some sort of routing on the 2wire (besides just default route and directly connected devices) this is gonna pretty tough

edit: i'm not sure why you're vlan 1 devices can't ping your vlan 0 interfaces though, i'd have to see the config of that router and verify that the end-devices have a proper ip address and a correct gateway setup.
 

bmh.01

Gawd
Joined
Mar 28, 2002
Messages
610
Why are you putting the 1760 in the DMZ? Does it need an external address?

1760 should be on the 172.16.0.0/24 subnet with whatever IP you choose, seeing as the 2wire is 254 i'd probably go for 253 for the 1760.
 

bmh.01

Gawd
Joined
Mar 28, 2002
Messages
610
- 2Wire set to place Cisco 1760 in DMZ+, forwarding all traffic by default to it and therefore giving it its external IP (I assume via 1-to-1 NAT?)
- 2Wire and Cisco 1760 both have active DHCP servers.
- There is a 4-port Fast Ethernet card in the Cisco 1760, which both 2950 switches are directly connected to.
All fine, although i'm not sure why you've put the cisco in the DMZ+.

- 2Wire and any client connected directly to it (via Ethernet or WiFi) can ping the Cisco 1760's Fa0/0 interface, but not its Vlan1 interface.

Correct, the 2wire knows how to get to its own DMZ address but not how to get to 172.16.1.0/24. This is where the static routes would come in on the 2wire or RIP or similar in other cases.

- Cisco 1760 can ping anything on the network, as well as on the Internet.

The cisco gets a default gateway of the 2wire which knows how to get to 172.16.0.0/24, also the 2wire knows where its own DMZ address is so can return the packets. Likewise the 2wire knows how to get to the net.

- Nothing on the 2950's or anything connected to them can ping beyond the Vlan1 interface of the Cisco 1760.

Have they have a default gateway of 172.16.1.254 set? That or the cisco isn't allowing packets to exit the 172.16.1.0/24 subnet.
 
Top