lab help: segregated network inside a campus network: halp?

[xSauronx]

network project at school: using active directory, setup 3 sites (on diff subnets, obviously) with blah blah services

to use:
one classroom thats in use by other classes. the room has 18 machines with vmware and Im to use the machines as hosts for my AD servers and workstations.
access to the cisco lab equipment we have racked up: some old routers and switches
also in the classroom: catalyst 2950 that all of the machines are connected to for accessing the campus network

i work with the network admin, he said he could just create me 3 vlans and write a script or let me change the switch config when im in the room. the instructor is "not comfortable" with this, and also wants to be sure that I can use a router.

so the admin lends me an 1841 router and suggests the following:
on the room's 2950:

• set fa0/21 on the 2950 as a trunk port
• use fa0/9 on the 2950 as an access port on that rooms VLAN (each room in this building has its own VLAN)

on the 1841:

• fa 0/0 with 4 subinterfaces
  • 3 for my VLANs
    • (used only by me. im given 172.20.0.0/16 to use as i like, and nothing else on campus ANYWHERE has an address in that range)
  • 1 for a vlan to give me segregated internet access
    • (gateway 192.168.251.2 going out to a DSL line separate from the rest of the campus internet connection, and nothing else is in that address range)
• fa0/1 with an ip local to that rooms VLAN (192.168.125.2 /24)

• VMs on hosts can ping one another, as theyre all on the same vlan. makes sense.
• physical hosts in that room can ping 2 of the 4 subinterfaces on 1841: fa0/0
• VMs cannot ping the 1841 at all
• the 1841 cannot ping the VMs at all

conclusion:
this doesnt work. he was gone by the time i set it up. Im not sure how it *could* work, to be honest. is he completely amiss on this one or have I setup/understood something wrong?

 

[spidey07]

make sure you've got your native vlan on the trunk on both ends correct. It should work just fine. You're doing "router on a stick". It will work just fine. Make sure ip routing is enabled on the 1800.

Almost sounds like a native vlan or trunking problem, possible on the VM setup itself as well. Force the trunk on the switch "switchport mode trunk" to ON.

I think the command for the sub-interfaces is "encapsulation dot1q <vlan#>" to tag with the proper vlan.

 

[melchoir]

Spidey is right, if you need command references feel free to ask. I started to type out everything for you but stopped myself.

How about posting your config for those ports?

 

[xSauronx]

make sure you've got your native vlan on the trunk on both ends correct. It should work just fine. You're doing "router on a stick". It will work just fine. Make sure ip routing is enabled on the 1800.

Almost sounds like a native vlan or trunking problem, possible on the VM setup itself as well. Force the trunk on the switch "switchport mode trunk" to ON.

I think the command for the sub-interfaces is "encapsulation dot1q <vlan#>" to tag with the proper vlan.

yeah i have the subinterfaces on the vlan done, with a dot1q 1 native on one and then the appropriate vlans on the other.

ill grab the config when i head back out to school tomorrow, i was there so late fiddling around that a night class bumped me out and i had to go :-/

i see it can make sense as a router on a stick...i was just used to thinking of that as the router having one interface on the switch etc

 

[xSauronx]

ok back from my break, heres the relevant bits of config on the switch in the room

classroom 2950

interface FastEthernet0/9
description connected to net289 lab router 192.168.125.2
switchport access vlan 125

ALL OTHER FasterEthernet
switchport access vlan 125

interface FastEthernet0/21
description trunk for net289 lab router
switchport mode trunk

The 1841 Config (interfaces and routes)

ip name-server 192.168.14.100
!
!
!
!
interface FastEthernet0/0
description Net289 lab router
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
no snmp trap link-status
!
interface FastEthernet0/0.5
encapsulation dot1Q 310
ip address 172.20.5.1 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.10
encapsulation dot1Q 311
ip address 172.20.10.1 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.28
encapsulation dot1Q 312
ip address 172.20.28.1 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.251
encapsulation dot1Q 251
ip address 192.168.251.9 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/1
ip address 192.168.125.2 255.255.255.0
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.251.2
ip route 192.168.110.0 255.255.255.0 FastEthernet0/1

heres the routing table:

Gateway of last resort is 192.168.251.2 to network 0.0.0.0
S 192.168.110.0/24 is directly connected, FastEthernet0/1
C 192.168.125.0/24 is directly connected, FastEthernet0/1
172.20.0.0/24 is subnetted, 3 subnets
C 172.20.28.0 is directly connected, FastEthernet0/0.28
C 172.20.10.0 is directly connected, FastEthernet0/0.10
C 172.20.5.0 is directly connected, FastEthernet0/0.5
C 192.168.251.0/24 is directly connected, FastEthernet0/0.251
S* 0.0.0.0/0 [1/0] via 192.168.251.2

again, the issue:

the admins theory is that I should have ALL PHYSICAL HOSTS on VLAN 125 with a 192.168.125.0/24 address

all VIRTUAL GUESTS will be on the physical hosts, vritual guest ranges:
172.20.5.0 /24
172.20.10.0 /24
172.28.10.0 /24

I can ping:
from any physical host in the room:
172.20.5.1
192.168.125.2
192.168.251.9

I cannot ping:
from any host:
172.20.10.1
172.20.28.1

If I setup a physical host (havent tried vm, Id assume it works but i cant get in the lab yet today) with a 172.20.10.0 /24 address on VLAN 311 I can ping 172.20.10.1

why cant I ping it when I can ping 172.20.5.1? Can I reconcile this issue and have my situation work with all hosts/VMs on VLAN 125 (the rooms normal VLAN)?

 

[xSauronx]

also a topology map, in case things arent clear from reading it. i still dont understand quite how this is supposed to work the way its set up since I dont have any of the hosts/guests actually ON the VLANs that I was given to trunk to this router on a stick

 

[Jamsan]

If the virtual machines are bridging the physical NICs on the host machines, it will need to be on the correct VLAN, and all the VMs will be limited to that single VLAN. You can configure the switchport that the VM is plugged into as a trunk and configure the VM NIC in trunk mode. This would allow any VLAN on the virtual machines, not just the single one that the switchport is setup for in access mode.

However, sounds like you want to keep the ports in access mode on VLAN 125, which won't work for your scenario.

If you can, try the following:
For each VLAN, setup a physical host's port into a specific VLAN and set your VMs to that IP range. Try pinging the rest of the network. Then, move the switchport over to another VLAN, change the IPs in the VMs accordingly, and try pinging again. It looks like you have multiple physical hosts, so do the following so you can test everything at the same time:

Host 1: Put switchport to access mode on VLAN 310, and assign the host and guest VMs an IP in the 172.20.5.1 /24 range.

Host 2: VLAN 311, host and guests in IP range of 172.20.10.1 /24 range.

Host 3: VLAN 312, host and guests in IP range of 172.20.28.1 /24 range.

See if everything pings correctly at that point. Also, check the interfaces on the router and make sure they are all up.

 

[xSauronx]

Jamsan: what youre suggesting would solve the issue, undoubtedly. The instructor did not want me to be changing the switchports VLAN in order to do this lab, which is why the amazingly awkward (and, as far as I can tell, unworkable) configuration was suggested.

me and the admin just wanted to switch every port out to a different vlan and give them a gateway onto a segregated internet line and call it a day, it would have saved me a load of time and i would have work done instead of a headache.

anyone else with any ideas?

 

[Jamsan]

Did the teacher have a specific reason he didn't want the switch configuration changed (other than the fact he wasn't "comfortable" with it)? I'm not saying I'm the most intelligent person and there is plenty I don't know, but I don't quite see how this configuration will work.

In situations like this, and I've been in many myself - while not always the case, but I stick to the motto: "Those who can, do, those who can't, teach".

 

[xSauronx]

Did the teacher have a specific reason he didn't want the switch configuration changed (other than the fact he wasn't "comfortable" with it)? I'm not saying I'm the most intelligent person and there is plenty I don't know, but I don't quite see how this configuration will work.

In situations like this, and I've been in many myself - while not always the case, but I stick to the motto: "Those who can, do, those who can't, teach".

yeah, hes asinine when it comes to details on technical things but lacks real world experience....and thats pretty much just related to OS stuff and hardware. as far as i can tell, his networking knowledge is pretty slim past the very basics.

theres really not a *good* way to deal with the lab, as even if i get to change the VLAN assignments im going to have to trace all 20 runs in the room to each port, and probably resort them, as none are labeled (either on the cable, the machine, or even in the switchport description)