Setting up Vlans on your Cisco Switch with Monowall
Requirements:
- Cisco 2950
- Soekris or similar w/ m0n0wall
Network Diagram:
Network Hardware Picture:
The Howto
First, we telnet to the switch and perform the following:
cisco1>enable
Password:
cisco1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco1(config)#int vlan10
Now we can configure our first vlan, in this case vlan10. Now, since we’re doing the phones vlan, we’ll give it a description
cisco1(config-if)#description Phones
cisco1(config-if)#exit
cisco1(config)#
Now we do the same thing for the Computers Network
cisco1(config)#int vlan20
cisco1(config-if)#Description Computers
cisco1(config-if)#exit
cisco1(config)#
Now we do the same thing for the WIFI Network
cisco1(config)#int vlan30
cisco1(config-if)#Description WIFI
cisco1(config-if)#exit
cisco1(config)#
Now we setup the vlans on the soekris
- Login to Monowall
- Go to Interfaces(assign)
- Click on the Vlans Tab
- Click the little + sign to create a new vlan
Now we have some settings
Parent Interface: sis1 (or whatever your LAN / plugged into cisco switch is)
VLAN Tag: 10 (remember, the tag for the phones was 10)
Description: Phones
Then Do it all again but adding for computers
Parent Interface: sis1 (or whatever your LAN / plugged into cisco switch is)
VLAN Tag: 20 (remember, the tag for the computers was 20)
Description: Computers
Then Do it all again but adding for WIFI
Parent Interface: sis1 (or whatever your LAN / plugged into cisco switch is)
VLAN Tag: 30 (remember, the tag for the WIFI was 30)
Description: WIFI
Now we hop back on the switch and type in
Password:
cisco1>enable
Password:
cisco1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco1(config)#
Enter the switch port you are using for the uplink, in my case 0/1
cisco1(config)#int fastethernet0/1
Give it a description of what this is
cisco1(config-if)#description Uplink to Soekris (Router)
Set the gateway to vlans using this command
cisco1(config-if)#switchport mode trunk
Now return to monowall, and reboot it. Everything should work, we’re just enabling the vlans.
Now login to the monowall/soekris again, go to interfaces(assign), go to interfaces tab, then click the + sign.
You should have:
LAN: sis1
WAN: sis0
OPT1: VLAN 10 on SIS1 (Phones)
LAN: sis1
WAN: sis0
OPT2: VLAN 20 on SIS1 (Computers)
LAN: sis1
WAN: sis0
OPT3: VLAN 30 on SIS1 (WIFI)
Click save. Reboot the soekris again.
Now login to the soekris again, and change the interface name from OPT1 to VLAN-Phones, and then assign it the ip range 10.0.2.1/24 and click save. Do the same for Computers (10.0.3.x) and WIFI (10.0.4.x)
Now go to the DHCP Server section on the soekris, and you’ll see a new VLAN-Phones, VLAN-Computers and VLAN-WIFI tabs at the top, which you can configure.
If you know the MAC addresses of your devices, put them in for static address mapping, and Name them.
Make sure it is enabled, then click “Apply Changes”
Now go back to your cisco switch and enable the ports your phone and servers are on, in my case ports 17 and 24
Password:
cisco1>enable
Password:
cisco1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco1(config)#int faste0/17
cisco1(config-if)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
cisco1(config)#end
cisco1(config)#conf t
cisco1(config)#int faste0/24
cisco1(config-if)#switchport access vlan 10
cisco1(config-if)#end
Now we’ll set some descriptions
cisco1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco1(config)#int faste0/24
cisco1(config-if)#switchport access vlan 10
cisco1(config-if)#end
cisco1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco1(config)#int faste0/17
cisco1(config-if)#description Cisco 7970 at Matts Desk
cisco1(config-if)#end
cisco1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
cisco1(config)#int faste0/24
cisco1(config-if)#description Asterisk IP PBX Server
cisco1(config-if)#end
cisco1#
Now, repeat the above two steps for your Computers and WIFI networks.
After this is complete, you’ll want to do the following on the switch to verify it’s all correct.
cisco1#wr
cisco1#show config
<output supressed>
cisco1#show vlan brief
<output supressed>
This will write your configuration to memory, and then show you what your setup is, and what your vlan configuration is. Scroll down below my cisco commands to see the output of mine to verify against.
After you have done that you will want to configure your firewall rules on the Soekris/Monowall setup. What I did was enable * for VLAN-Phones, VLAN-Computers, VLAN-WIFI, and on the LAN. On the WAN side of things I have everything disabled, and only allow a few services in (ssh, and voip stuff in my case). I’m not going to paste screenshots because If you have this type of hardware I expect you know how to configure a basic firewall 🙂
That’s it for now. Next step is the queing and all the l33t stuff.
FULL COMMAND LISTING ON THE CISCO SWITCH:
Initial Setup:
enable
conf t
int vlan10
description Phones
int vlan20
description Computers
int vlan30
description Wifi
int fa0/1
spanning-tree portfast
description Uplink to Soekris (Router)
switchport mode trunk
switchport trunk allowed vlan 10
switchport trunk allowed vlan 20
switchport trunk allowed vlan 30
SETUP VLAN10:
int fa0/17
switchport access vlan 10
description VOIP1-Matt-7970
int fa0/18
switchport access vlan 10
description VOIP2
int fa0/19
switchport access vlan 10
description VOIP3
int fa0/20
switchport access vlan 10
description VOIP4
int fa0/21
switchport access vlan 10
description VOIP5
int fa0/21
switchport access vlan 10
description VOIP6
int fa0/22
switchport access vlan 10
description VOIP7
int fa0/23
switchport access vlan 10
description VOIP8
int fa0/24
switchport access vlan 10
description VOIP-PBX
end
SETUP VLAN20:
int fa0/3
switchport access vlan 20
description PrintServer
int fa0/4
switchport access vlan 20
description Server1
int fa0/5
switchport access vlan 20
description Server2
int fa0/6
switchport access vlan 20
description Server3
int fa0/7
switchport access vlan 20
description Server4
int fa0/8
switchport access vlan 20
description Server5
int fa0/9
switchport access vlan 20
description Desktop1
int fa0/10
switchport access vlan 20
description Desktop2
int fa0/11
switchport access vlan 20
description Desktop3
int fa0/12
switchport access vlan 20
description Desktop4
int fa0/13
switchport access vlan 20
description Desktop5
int fa0/14
switchport access vlan 20
description Desktop6
int fa0/15
switchport access vlan 20
description Desktop7-Xbox360
int fa0/16
switchport access vlan 20
description Desktop8-Craig
end
SETUP VLAN30:
int fa0/2
switchport access vlan 30
description WIFI
OUTPUT OF “show config” on cisco 2950 switch
cisco1#show config
Using 3391 out of 32768 bytes
!
! Last configuration change at 23:37:22 EDT Sat Apr 14 2007
! NVRAM config last updated at 23:37:23 EDT Sat Apr 14 2007
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname cisco1
!
enable secret 5 $1$.aJp$eniLVaBSekYNQW/dmmGcH0
enable password <PASSWORD>
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
description Uplink to Soekris (Router)
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet0/2
description WIFI
switchport access vlan 30
!
interface FastEthernet0/3
description PrintServer
switchport access vlan 20
!
interface FastEthernet0/4
description Empty
switchport access vlan 20
!
interface FastEthernet0/5
description Empty
switchport access vlan 20
!
interface FastEthernet0/6
description Empty
switchport access vlan 20
!
interface FastEthernet0/7
description Empty
switchport access vlan 20
!
interface FastEthernet0/8
description Empty
switchport access vlan 20
!
interface FastEthernet0/9
description Desktop1
switchport access vlan 20
!
interface FastEthernet0/10
description desktop-mattport2
switchport access vlan 20
!
interface FastEthernet0/11
description Desktop3
switchport access vlan 20
!
interface FastEthernet0/12
description Desktop4
switchport access vlan 20
!
interface FastEthernet0/13
description desktop-matt-desktop1
switchport access vlan 20
!
interface FastEthernet0/14
description Empty
switchport access vlan 20
!
interface FastEthernet0/15
description computer-xbox360
switchport access vlan 20
!
interface FastEthernet0/16
description computer-craig-upstairs
switchport access vlan 20
!
interface FastEthernet0/17
description VOIP1-Matt-7970
switchport access vlan 10
!
interface FastEthernet0/18
description VOIP2
switchport access vlan 10
!
interface FastEthernet0/19
description VOIP3
switchport access vlan 10
!
interface FastEthernet0/20
description VOIP4
switchport access vlan 10
!
interface FastEthernet0/21
description VOIP6
switchport access vlan 10
!
interface FastEthernet0/22
description VOIP7
switchport access vlan 10
!
interface FastEthernet0/23
description VOIP8
switchport access vlan 10
!
interface FastEthernet0/24
description VOIP-PBX
switchport access vlan 10
!
interface Vlan1
ip address 10.0.1.20 255.255.255.0
no ip route-cache
!
interface Vlan10
description Phones
no ip address
no ip route-cache
shutdown
!
interface Vlan20
description Computers
no ip address
no ip route-cache
shutdown
!
interface Vlan30
description WIFI
no ip address
no ip route-cache
shutdown
!
interface Vlan100
no ip address
no ip route-cache
!
ip default-gateway 10.0.1.1
ip http server
snmp-server community flewid.local.write RW
snmp-server community flewid.local RO
snmp-server location Downstairs
snmp-server contact Matt Gibson
banner login ^C
Access for authorized users only. Please enter your username and password.
^C
banner motd ^C
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
^C
!
line con 0
line vty 0 4
password <PASSWORD>
login
line vty 5 15
password <PASSWORD>
login
!
ntp clock-period 17180357
ntp server 192.43.244.18 key 0
!
end
cisco1#
OUTPUT OF “show vlan brief” on cisco 2950 switch
cisco1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
10 VLAN0010 active Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
20 VLAN0020 active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16
30 VLAN0030 active Fa0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
cisco1#