Cisco 891W Router Configuration

Lessons Discussion
1

Hello,
I am trying to configure an 891W router for practicing for ICND 1. Can you please advice on the configuration, greatly appreciate it, thanks.

On the 891W router, the switchport port security command dosent work, instead I used switchport protected, guess that command does port security for the 891W.
I cannot assign an IP addresses to ports. How do I assign an ip address for a trunk port on the 891W(int fa1).

Does VLAN 1 require an IP address?

If I make VLAN 2 as the native VLAN, do I have to assign an IP address to it?

I creatd a couple of VLANs, and plan to use VLAN 3 for network switch management.

Do I have to create a loopback address for each VLAN?
I am a little mixed up with the DHCP pool creation. Do I have to create a pool for each VLAN?

Can you please take a look at the configuration script and correct it for me, greatly appreciate it, thanks.

I had gotten the following error:

ip address 192.168.1.2 255.255.255.224
% 192.168.1.0 overlaps with secondary address on Loopback0

ip address 192.168.5.2 255.255.255.0
% 192.168.5.0 overlaps with secondary address on Loopback0

*****************************************************************

*****************************************************************

config t
alias exec save copy running-config startup-config

int range fa0 - 7
speed 100
duplex full
switchport mode access
switchport protected
shutdown
exit

*****************************************************************

hostname R891W
no enable password
enable secret testlab
username XXX privilege 15 password testlab1
service password-encryption
no ip domain lookup
ip domain name XXX
vtp domain XXX
vtp mode transparent
ntp server 64.113.32.5
no ip http server
ip name 4.2.2.2 4.2.2.3 8.8.8.8
ip route 0.0.0.0 0.0.0.0 fa8 dhcp
ip routing
default-information originate
!
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
network 192.168.6.0 0.0.0.255 area 0
network 192.168.7.0 0.0.0.255 area 0
network 192.168.8.0 0.0.0.255 area 0
passive-interface default
no passive-interface fa0
no passive-interface fa1
no passive-interface fa2
exit

*****************************************************************

crypto key generate rsa general-keys modulus 2048

*****************************************************************

ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3

*****************************************************************

line con 0
no exec-timeout
logging synchronous
enable secret testlab
line con 0
login local
exit

line vty 0 4
logging synchronous
no exec-timeout
username tech
line vty 0 4
password testlab
login local
transport input telnet ssh
exit

line aux 0
logging synchronous
exec-timeout 0 0
password aux
login
login local

exit

Banner motd +
******************************
Unauthorized Access Prohibited
******************************
+

*****************************************************************

service dhcp

ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.5.1
ip dhcp excluded-address 192.168.6.1
ip dhcp excluded-address 192.168.7.1
ip dhcp excluded-address 192.168.8.1

ip dhcp pool DHCP-POOL
network 192.168.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0 secondary
network 192.168.3.0 255.255.255.0 secondary
network 192.168.4.0 255.255.255.0 secondary
network 192.168.5.0 255.255.255.0 secondary
network 192.168.6.0 255.255.255.0 secondary
network 192.168.7.0 255.255.255.0 secondary
network 192.168.8.0 255.255.255.0 secondary
exit
!
dns-server 4.2.2.2 4.2.2.3 8.8.8.8
default-router 192.168.1.1
domain-name XXX
lease 7
exit
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255 secondary
ip address 192.168.2.1 255.255.255.255 secondary
ip address 192.168.3.1 255.255.255.255 secondary
ip address 192.168.4.1 255.255.255.255 secondary
ip address 192.168.5.1 255.255.255.255 secondary
ip address 192.168.6.1 255.255.255.255 secondary
ip address 192.168.7.1 255.255.255.255 secondary
ip address 192.168.8.1 255.255.255.255 secondary
exit

interface vlan 1
ip nat inside
exit

vlan 2
name NATIVE
int vlan 2
ip nat inside
no shut
exit

vlan 3
name SWITCH_MANAGEMENT
int vlan 3
ip address 192.168.1.2 255.255.255.224
ip nat inside
no shut
exit

Vlan 10
name PRIVATE-WIFI-VLAN
interface Vlan 10
description PRIVATE-WIFI-VLAN
ip address 192.168.5.2 255.255.255.0
ip nat inside
exit

vlan 11
name GUEST-WIFI-VLAN
interface Vlan 11
description GUEST WIFI VLAN
ip address 192.168.6.2 255.255.255.0
ip nat inside
exit

Vlan 12
name VOIP-VLAN
interface Vlan 12
description VOIP-VLAN
ip address 192.168.7.2 255.255.255.0
ip nat inside
exit

Vlan 14
name FINANCE-VLAN
interface Vlan 14
description FINANCE-VLAN
ip address 192.168.1.65 255.255.255.240
ip nat inside
exit

Vlan 17
name I.T.VLAN
interface Vlan 17
description I.T. VLAN
ip address 192.168.1.129 255.255.255.240
ip nat inside
exit

*****************************************************************

int loopback0
ip address 192.168.1.1 255.255.255.224
ip nat inside
no shut
exit

int fa0
description TRUNK LINK TO ASA5520 FA1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan all
shut
exit

int fa1
description Trunk LINK TO S3560 FA1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan all
no shut
exit

int fa2
description TRUNK LINK TO S3750 FA2
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan all
no shut
exit

int fa3
description VOIP VLAN Port
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 12
shut
exit

int range fa4 - 5
description FINANCE VLAN Port
switchport mode access
switchport access vlan 14
no shut
exit

int range fa6 - 7
description I.T. VLAN Port
switchport mode access
switchport access vlan 17
no shut
exit

*****************************************************************

ip access-list standard INSIDE_NAT_ADDRESSES
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 192.168.3.0 0.0.0.255
permit 192.168.4.0 0.0.0.255
permit 192.168.5.0 0.0.0.255
permit 192.168.6.0 0.0.0.255
permit 192.168.7.0 0.0.0.255
permit 192.168.8.0 0.0.0.255
exit

*****************************************************************

int fa8
ip address dhcp
ip nat outside
ip nat enable
no shut
ip nat inside source list INSIDE_NAT_ADDRESSES int fa8 overload
exit

*****************************************************************

2

Hello Dinesh.

I will attempt to answer your questions in a way that will help you to further your studies.

On the 891W router, the switchport port security command dosent work, instead I used switchport protected, guess that command does port security for the 891W. I cannot assign an IP addresses to ports. How do I assign an ip address for a trunk port on the 891W(int fa1).

Keep in mind that switch ports (the physical ethernet ports) on the 891W have very limited functionality concerning port security and other configurations. This is why the switchport port security command did not work. The switchport protected command provides another service that you do not require for the ICND1 exam. If you’re interested in reading up on it, take a look at http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011101.html Also, these ports are Layer 2 ports which means you cannot assign an IP address to them. It’s just the way the specific router has been designed.

Does VLAN 1 require an IP address?
Strictly speaking, no it is not necessary to have an IP address on VLAN1. Usually, The IP address of VLAN 1 is by default the internal IP address of the router. It is this address that is used as the default gateway for the devices that connect to the router. However, on your router I see you have several other VLANs set up as well, which can also be used instead. You do need at least one VLAN to have an IP address, otherwise no IP connectivity can be achieved.

If I make VLAN 2 as the native VLAN, do I have to assign an IP address to it?
No, the native VLAN does not necessarily have to have an IP address assigned to it.

Do I have to create a loopback address for each VLAN?
No. A loopback address is not necessary for the creation of VLANs. Whether you create loopback interfaces or not will have no impact on the rest of your configuration. (Loopbacks are used in conjunction with other more advanced configurations that are not included in ICND1. Beyond knowing how to create one and assign an IP address, you won’t need to do anything else with loopbacks).

I am a little mixed up with the DHCP pool creation. Do I have to create a pool for each VLAN?
In general each VLAN corresponds to a subnet. If you want to configure DHCP, you will have to create a pool for each subnet, which in turn corresponds to a VLAN. So yes, for each subnet/VLAN that you want to provide DHCP for, you must create a pool.

I had gotten the following error: % 192.168.1.0 overlaps with secondary address on Loopback0
Each interface of a router (whether a physical interface, VLAN interface or loopback interface) must have an IP address that is in a unique subnet. For example, if interface Fe0/1 has an IP address of 192.168.10.1/24, Fe0/2 cannot have an address of 192.168.10.2/24 because it is in the same subnet. The reason you get this error is because you already have an IP address on a loopback interface within the same subnet of the address you are trying to configure. You must assign IP addresses in different subnets for each interface.

It’s great that you are testing configurations on a live device, however the router you are using has many limitations concerning the configuration that you are trying to configure. I suggest the use of Cisco Packet Tracer which will give you a wider range of devices and functionality that will be more familiar to you for the exam .

I wish you success in your studies and in your exam.

I hope this has been helpful.

Laz