Cisco Conf help needed

[AMv8(1day)]

Hey guys, I've been on here for awhile but my Cisco is a little rusty and I'm having some issues setting up my offices dirty broadband network. We've got business class broadband coming into a Cox owned Cisco DPC3010. Everything after that is repurposed cisco equipment I was handed and told to "make it work".

1 Cisco 2600 Router
2 Cisco 3560G 24 port Switches

I am a novice to begin with as Cisco command line isn't usually my bag, but I also don't normally handle open, non-internally managed networks (reaching out to the internet).

Can someone PLEASE help me out and give me a rundown of the basic configs needed to get DHCP up and running on the router and the uplinks to/from the switches.
Right now I've got the cable setup like so:

Modem - Router Ethernet1/0
Router FastEthernet0/0 - Switch1 GigabitEthernet0/1
Router FastEthernet0/1 - Switch2 GigabitEthernet0/2

I actually think it would be better/easier if I pulled the router out altogether and just ran DHCP from the Switches. But I don't know how to do that, how to link the two switches so they operate as one without a stackwise cable, how to make sure the ports handle a combination of Gig and 100base connections, etc.
Is anyone available to help me out?

 

[Nate7311]

Let's start at the beginning...

The LAN side of the Cox-owned Cisco. Is that your public IP address or is that already doing NAT/Firewall duties?

 

[/usr/home]

I wouldn't have the switches hanging off the router like that. I would have the second switch daisy chained off the first one. If it has gigabit ports, you could use 2 or more of them to create an etherchannel for more bandwidth between switches.

 

[tangoseal]

Lets start with the first question
do you have access to the console and configuration terminal?

If so please paste a show run and we can dig through your configuration and help you out.

Also do you have acces to The Cox router?

 

[nosmircss]

Modem - Router Ethernet1/0
Router FastEthernet0/0 - Switch1 GigabitEthernet0/1
Switch1 GigabitEthernet0/24 - Switch2 GigabitEthernet0/24


Assumption: modem or a real firewall is handling NAT/Firewall functions.


#### (connect switches with cross over cable or config mdix auto if supported)


#### pseudo 2600 Router config (made up networks)


ip dhcp pool 1
network 10.1.0.0 255.255.0.0
dns-server 4.2.2.2
default-router 10.1.0.1
!
ip dhcp excluded-address 10.1.0.1 10.1.0.255
!
!
!
!
interface FastEthernet0/0
ip address 10.1.0.1 255.255.0.0
duplex auto
speed auto
!
interface Ethernet1/0
ip address dhcp
full-duplex
!

 

[/usr/home]

You forgot the hit tab in your thread title .

 

[AMv8(1day)]

The Cox equipment is the DEMARC from my perspective. The Cox modem is just that, a modem. No Routing or managing duties what so ever. They would have to assume management of the network if they put their own router in. The rest of the equipment was repurposed from other contracts/projects and basically given to me with old configs, passwords, etc. The first thing I did when I got the equipment was break in, whipe the passwords, and system defualt restore. Any and all configs currently on them were put on by me.
So yes, by the way, I do have console access.
I was originally going to run them daisy chained off of each other when I was going to throw 3 3560Gs up (I have spares) but then we realized that this office would never see more than 44 active drops, so I went with this setup for load balancing. The switchports are all Gig capable, but the router only has 2 FastE (100Mbit) ports and 4 Ethernet (10Mbit) ports. I just noticed the 10Mbit part. We are pulling down around 70Mbit/s off the modem, I am obviously going to need the 100Mbit and preferably the GiBit connections.
As far as firewall and NAT, nothing is setup right now, I'm going to see if I can beg/barter/steal a Cisco ASA 5505 or 5510 to handle that at some point.
Will post RTR configs, then SW configs momentarily:

 

[AMv8(1day)]

You forgot the hit tab in your thread title .

Sorry, I don't post often. What do you mean?

 

[Jay_2]

It's a Cisco joke

 

[AMv8(1day)]

en
DirtyRTR#sho run
Building configuration...

Current configuration : 1273 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DirtyRTR
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
!
!
ip dhcp pool mypool
network 1.1.2.0 255.255.255.224
domain-name DRTYNet.com
dns-server 8.8.8.8 8.8.4.4
default-router 70.182.2.65
lease 7
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description SW01
ip address 1.1.1.1 255.255.255.224
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet0/1
description SW02
ip address 1.1.2.1 255.255.255.224
speed auto
full-duplex
no clns route-cache
!
interface Ethernet1/0
description WAN
no ip address
full-duplex
no clns route-cache
!
interface Ethernet1/1
no ip address
shutdown
full-duplex
no clns route-cache
!
interface Ethernet1/2
no ip address
shutdown
full-duplex
no clns route-cache
!
interface Ethernet1/3
no ip address
shutdown
full-duplex
no clns route-cache
!
ip classless
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

DirtyRTR#

 

[AMv8(1day)]

DRTY-SW01>en
DRTY-SW01#sho run
Building configuration...

Current configuration : 1515 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname DRTY-SW01
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description Router Uplink Ethernet0/1
switchport mode access
!
interface GigabitEthernet0/2
description Uplink to SW02
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
end

DRTY-SW01#

 

[AMv8(1day)]

en
DRTY-SW02#sho run
Building configuration...

Current configuration : 1747 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname DRTY-SW02
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description Router uplink Ethernet0/2
switchport mode access
duplex full
!
interface GigabitEthernet0/2
description Uplink to SW01
duplex full
!
interface GigabitEthernet0/3
duplex full
!
interface GigabitEthernet0/4
duplex full
!
interface GigabitEthernet0/5
duplex full
!
interface GigabitEthernet0/6
duplex full
!
interface GigabitEthernet0/7
duplex full
!
interface GigabitEthernet0/8
duplex full
!
interface GigabitEthernet0/9
duplex full
!
interface GigabitEthernet0/10
duplex full
!
interface GigabitEthernet0/11
duplex full
!
interface GigabitEthernet0/12
duplex full
!
interface GigabitEthernet0/13
duplex full
!
interface GigabitEthernet0/14
duplex full
!
interface GigabitEthernet0/15
duplex full
!
interface GigabitEthernet0/16
duplex full
!
interface GigabitEthernet0/17
duplex full
!
interface GigabitEthernet0/18
duplex full
!
interface GigabitEthernet0/19
duplex full
!
interface GigabitEthernet0/20
duplex full
!
interface GigabitEthernet0/21
duplex full
!
interface GigabitEthernet0/22
duplex full
!
interface GigabitEthernet0/23
duplex full
!
interface GigabitEthernet0/24
duplex full
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
!
ip classless
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
end

DRTY-SW02#

 

[/usr/home]

The router should be setup: ISP eqiuipment -----> Fa 0/0 of the Cisco 2600/Fa 0/1 -----> Switch 1 -----uplink> Switch 2. I'm not sure why the router was setup with the switches on different interfaces like that. Maybe for lab practice, I don't know. You'll want to use a FastEthernet port for your WAN port because you have a great than 10 Mb connection to the internet. Let the router do the DHCPing. Do you have a static IP with your ISP or just a dynamic one? If you have the port space, I'd definitely run at least 2 links between switches and put them in etherchannel. Your ISPs device could even be doing NAT. If you plug a device straight into the ISP Cisco, do you get an IP address? If so, is it a public or private IP? There's A LOT of questions and variables here that can change suggestions and fixes.

 

[AMv8(1day)]

Damn msg got erased... In short:
Dedicated static IP, not sure whether it is a private IP, left work and can't remember what it was off the top of my head. It definitely wasn't any varient of 192.168.x.x though.
I was thinking of dropping the router altogather because 1, why have uneccessary equipment in the chain?, and 2, the limitations of the router interfaces are pretty much guaranteed to create a bottleneck, whether running entirely on the 100Mbit ports or not.
I doubt that the modem is handling NAT duties since like I said, it's a basic modem with no management capabilities, but I don't know for sure.
I definitely pull an IP when I plug straight in.
ports are open right now but by the time we finish we will be taking up around 42 ports just for the users.

 

[/usr/home]

Ok,so it sounds like maybe the ISPs Cisco device is doing NAT and DHCP for you already. Do you have access to this device to make any changes? What IP do you get when you plug right into the ISP Cisco? Also, how does your internet come in? Is it Metro Ethernet, Fiber, Cable, DSL? Does it convert from fiber to ethernet?

 

[AMv8(1day)]

Here is what I see when plugged straight into the modem:

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : HSDN-33DC918DCB
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dc.dc.cox.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : dc.dc.cox.net
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont
roller
Physical Address. . . . . . . . . : 00-1C-23-3D-15-59
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 70.183.2.88
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 70.183.2.65
DHCP Server . . . . . . . . . . . : 172.19.105.16
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
Lease Obtained. . . . . . . . . . : Thursday, May 10, 2012 9:37:19 AM
Lease Expires . . . . . . . . . . : Friday, May 11, 2012 9:37:19 AM

C:\>tracert 172.19.105.16

Tracing route to 172.19.105.16 over a maximum of 30 hops

1 * * * Request timed out.
2 14 ms 11 ms 10 ms ip72-219-223-217.dc.dc.cox.net [72.219.223.217]

3 10 ms 9 ms 12 ms mrfddsrj01gex070003.rd.dc.cox.net [68.100.0.141]

4 19 ms 12 ms 15 ms mrfdvfwn01.rd.dc.cox.net [68.100.16.4]
5 12 ms 10 ms 10 ms 172.19.105.16

Trace complete.

C:\>

 

[Jay_2]

nope, its not doing NAT. You are going to need to get a firewall really. You could buy an ASA or at a push use the firewall in IOS.

 

[AMv8(1day)]

Yeah, I figured. The Modem is pretty dumb and isn't supposed to have any management capabilities what so ever. Selling my boss on a $550 ASA 5505 would be way tougher than just turning on the IOS' firewall. Not that I'm that adept at that either...
The line in is RJ6 Coax into the modem, CAT6 out to my equipment, copper (CAT6) throughout the rest of the network.

 

[AMv8(1day)]

Any DHCP duties appear to be at the distant end on Cox's side. We obviously have no desire to allow them access to our internal network, so I will need to do something about NAT duties or a firewall at the least.

 

[AMv8(1day)]

As far as access to the modem, I don't believe so, as far I know it is programed via a Type B USB port on the back by the installer and we don't have access to change anything.

 

[/usr/home]

Oh wow. I just googled that Cisco model the ISP has and it's a cable modem . Here I was thinking it was a ME Switch or something. Well this makes it easy then. Use the IOS firewall or ASA, have it do the NAT and DHCP for your internal network, and then link it to Switch one and then uplink Switch 2 into switch 1. Again, preferably with 2 or more connections for etherchannel.

 

[AMv8(1day)]

After talking it out a bit and listening to you guys, I have come to the same conclusion. Now to figure out how to do that... :-p
I'll get to work reconfiguring the switches to handle that, but I am a bit out of my depth with getting everything on the router to work with me.

 

[AMv8(1day)]

Okay, I am a bit confused on a few points.
1) the IP address that I assign to the interface that the modem will plug into, that should be set to my dedicated IP right? Cox assigned me 70.183.2.88, so I should set that port to 70.183.2.88, right?

2) Is there a difference in the steps I take to setup Switchport Mode Access (Uplink) between the port coming off of switch 1 and the port receiving access on switch 2?

3) Is there a difference between the way I setup the uplinks between the switches and the uplink to the router?

4) I turned MDIX to auto on both ports between the 2 switches and I lost connectivity. WTH?

 

[/usr/home]

Yes.

Yes. If you are doing VLANs or anything on your switches, those switch ports need to be trunks. switchport mode trunk. If not, access is fine.

Uplink to the router is a regular port unless you are doing router on a stick (routing between VLANs) on it, then it needs to be a trunk.

Are you using a crossover cable to connect the two switches? That's the "proper" way, though gigabit has auto-crossover built into the spec.

 

[AMv8(1day)]

Can't find my Xover, I had it laying around somewhere. But I know that it can handle auto negotiation via MDIX, it was actually coming up before. Somewhere along the line I did something and didn't notice when I was no longer getting activity. Just plugged into switch 1 via this laptop and was able to receive an IP (1.1.1.5) ping the router port 0/1 (1.1.1.1) and port 0/0 (70.183.2.88), but nothing past and no internet. I know that I will most likely need to get the NAT up before I can talk to the internet, but I don't know that I'm there yet.

 

[AMv8(1day)]

Just setup "IP NAT Outside" on the WAN port (0/0) and "IP NAT Inside" on the LAN port (0/1) still no luck being able to ping out to the internet from the router.

 

[/usr/home]

First of all, those IPs aren't usable. Change them to a private network, IE 192.168.x.x, 10.x.x.x, or 172.16.0.0 - 172.31.255.255. The 1.1.1.1 is a public IP.

You still need to and a NAT and ACL statement.

ip nat inside source list 1 interface fastEthernet 0/0 overload
#access-list 1 permit 192.168.1.0 0.0.0.255

Those commands basically say allow any address in access list 1 (access list 1 permits any IP on the 192.168.1.0 subnet) to translate the IP to the IP of the Fa 0/0 interface. Then give the Fa 0/0 (WAN) interface the command "ip nat outside" and the fa 0/1 interface (LAN) the command "ip nat inside"

 

[AMv8(1day)]

Hey guys, long weekend and an out of town wedding has kept me away from this, but I am back in and trying to plug this in now. I already did the "IP NAT inside" and "IP NAT outside" commands to their respective ports. If I go in and do the access list comands and change my LAN side IP sceme, will I have to redo or should it pop up immediately?
Also, I am running a /26 (255.255.255.192) on my network currently as the network will most likely never see more than 44 IP's in use. Should that access list info be different?

 

[AMv8(1day)]

Hey, what should I do about the DNS server? I don't have one on the LAN, am I good to just plug in the primary and secondaries that my ISP gave me even though they are on the WAN side? Should I try using the google 8.8.8.8/8.8.4.4 DNS servers?
Do I need to do anything about the access list on the switch or is it seemless for the switches?

 

[/usr/home]

If it's a /26, it would be:
access-list 1 permit 192.168.1.0 0.0.0.63
OR
access-list 1 permit 192.168.1.64 0.0.0.63

It depends on where your subnet starts. If it's at 192.168.1.0 then it's the top one, if it's 192.168.1.64 then its the bottom one and etc.

If you already have an ACL statement, type no in front of the it to remove it. So if you have say:
access-list 1 permit 192.168.1.64 0.0.0.63
in your running config, just type:
no access-list 1 permit 192.168.1.64 0.0.0.63
to remove it.

Yes, you can just use your ISPs DNS servers if you want. Commands:

Router(config)#ip dhcp pool LAN <--You can make "LAN" any name you want or if you already have an IP pool, use that name here)

Router(dhcp-config)#dns-server x.x.x.x x2.x2.x2.x2 <-- These are the IPs of your DNS servers you want to push to your DHCP clients. x.x.x.x and x2.x2.x2.x2 are the two ISP dns servers.

 

[AMv8(1day)]

Got it.
In a minute I am going to post the updated configs. I think I've got the switchport modes on the uplink ports backwards, but before I go screwing with them again and possibly messing them up, I want to make sure.

 

[AMv8(1day)]

DRTY-RTR#sho run
Building configuration...

Current configuration : 1456 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DRTY-RTR
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.3
!
ip dhcp pool 192.168.1.0/26
network 192.168.1.0 255.255.255.192
default-router 192.168.1.1
dns-server 68.105.28.16 68.105.29.16
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description WAN Interface
ip address 70.169.167.103 255.255.255.224
ip nat outside
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet0/1
description Uplink to SW01
ip address 192.168.1.1 255.255.255.192
ip nat inside
speed auto
full-duplex
no clns route-cache
!
interface Ethernet1/0
no ip address
shutdown
full-duplex
no clns route-cache
!
interface Ethernet1/1
no ip address
shutdown
full-duplex
no clns route-cache
!
interface Ethernet1/2
no ip address
shutdown
full-duplex
no clns route-cache
!
interface Ethernet1/3
no ip address
shutdown
full-duplex
no clns route-cache
!
ip default-gateway 70.169.167.97
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

DRTY-RTR#

 

[/usr/home]

You still need to create access list 1 for NAT to work.

 

[AMv8(1day)]

Yeah, created it and then dropped it somehow, probably missed a wr mem somewhere. Created it again though and still can't get out.

 

[AMv8(1day)]

DRTY-RTR#sho run
Building configuration...

Current configuration : 1498 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DRTY-RTR
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.3
!
ip dhcp pool 192.168.1.0/26
network 192.168.1.0 255.255.255.192
default-router 192.168.1.1
dns-server 68.105.28.16 68.105.29.16
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description WAN Interface
ip address 70.169.167.103 255.255.255.224
ip nat outside
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet0/1
description Uplink to SW01
ip address 192.168.1.1 255.255.255.192
ip nat inside
speed auto
full-duplex
no clns route-cache
!
interface Ethernet1/0
no ip address
shutdown
full-duplex
no clns route-cache
!
interface Ethernet1/1
no ip address
shutdown
full-duplex
no clns route-cache
!
interface Ethernet1/2
no ip address
shutdown
full-duplex
no clns route-cache
!
interface Ethernet1/3
no ip address
shutdown
full-duplex
no clns route-cache
!
ip default-gateway 70.169.167.97
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
!
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.1.0 0.0.0.63
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

DRTY-RTR#

 

[/usr/home]

That looks correct from what I can see so far. You should be able to get internet access and DHCP leases through that router now.

 

[tangoseal]

Where is your routing statement I do not even see one in the config???

Your NAT and ACL looks to be okay. You are overloading your outside interface which is good so NAT will work on all inside networks however with no routing statement you get no way to bridge the gap between interfaces.

 

[AMv8(1day)]

The routing statement had to be created, I think I did it wrong though. will update soon, got retasked to handle a bunch of other stuff today.

 

[/usr/home]

Add this:

Router(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/0

OR

Router(config)#ip router 0.0.0.0 0.0.0.0 70.169.167.97 <--- If that's the correct gateway of your ISP.