Cisco 1751 Router as DHCP 4 multiple VLAN's

[m0roh]

I have a small issue with a 1751 router and 3500XL switch, what I want to do is use the VLAN's feature in the switch to seperate every single port on the switch, I then want to use VLAN trunking to the port that is connected to the router into every VLAN on the switch.

My aim is for every port to access the router for internet but not access every other port on the switch for security to the user (hotel guests)

I think I have setup the encapsulation settings and everything right but I cannot seem to pickup an IP address from the router, I want to use one scope on the router (not many)

Can anyone shed any light on what I may be doing wrong.

Thanks a lot.

 

[brianinms]

You can't have multiple vlans and sure the same subnet. You should use protected ports instead of different vlans.



config t

int f0/1
port protected

 

[burtsbees]

I want to use one scope on the router (not many) "
VLANs ARE all different scopes, which is what Brian is saying (not to step on you, brian...).

Burt

 

[brianinms]

Thanks Burt ... it would have been clearer if I would have typed use instead of sure ... hum it had some of right letters in there .... hahaha

 

[m0roh]

yea I understand that I thought that was just if you wanted to router between the VLAN's as I don't want to, all I wanted to do was seperate them so all they have is internet access.

But anyway I will give what you suggested a try thanks very much guys.

 

[burtsbees]

One subnet, only http access=acl

Burt

 

[burtsbees]

But then again all connected in the same switch, they will have access to eachother...they don't have to go through the router in other words.

Burt

 

[brianinms]

One protected port can't talk to another protected port.

 

[ADB100]

He has a 3500XL and this doesn't support protected ports.... He could in theory create 24 VLANs and trunk them to the 1751, then create 24 sub-interfaces with /30 addresses and then 24 DHCP scopes for each of the sub-interfaces. He could also apply ACL's to the sub-interfaces to block any connectivity between them and only allow traffic to the internet.

Personally I would replace the switch with a 3550 or 3560 and use protected ports, much simpler.

Andy

 

[brianinms]

According to cisco the 3500xl does support protected ports.....

http://www.ciscopress.com/articles/article.asp?p=29803&seqNum=6

 

[ADB100]

I did have a quick look at the documentation and couldn't see private VLANs - you could be right though. Still the 3500XL has been EOL for so long it is probably worth an upgrade anyway ;o)

Andy

 

[brianinms]

I agree on the upgrade.

 

[Supergrrover]

Here is a setup I used for a client

Router Setup:
(One per port/vlan)
ip dhcp excluded-address 10.0.101.1 10.0.101.10
ip dhcp excluded-address 10.0.102.1 10.0.102.10

(One per port/vlan)
ip dhcp pool vlan101
network 10.0.101.0 255.255.255.0
default-router 10.0.101.1
!
ip dhcp pool vlan102
network 10.0.102.0 255.255.255.0
default-router 10.0.102.1

interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
(One subinterface per port/vlan)
interface FastEthernet0/1.101
encapsulation dot1Q 101
ip address 10.0.101.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.102
encapsulation dot1Q 102
ip address 10.0.102.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!

(One ACL per port/vlan)
access-list 101 permit ip 10.0.101.0 0.0.0.255 10.0.101.0 0.0.0.255
access-list 101 deny ip 10.0.101.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
access-list 102 permit ip 10.0.102.0 0.0.0.255 10.0.102.0 0.0.0.255
access-list 102 deny ip 10.0.102.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 permit ip any any

access-list 199 permit ip 10.0.0.0 0.0.255.255 any
ip nat inside source list 199 interface FastEthernet0/0 overload

Switch:
(Configure each interface with different VLAN)
interface FastEthernet0/1
switchport access vlan 101
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 102
switchport mode access
spanning-tree portfast

(Trunk a port to the router.)
interface GigabitEthernet0/1
switchport trunk allowed vlan 1,101-124
switchport mode trunk


That should do it for you without having to buy new equipment.


Brent
Systems Engineer / Consultant
CCNP, CCSP