- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: VLAN Help Tagging/Untagging
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-02-2006 07:25 AM
тАО08-02-2006 07:25 AM
Re: VLAN Help Tagging/Untagging
3- Enable Route to Internet:
(config)# ip route 0.0.0.0 0.0.0.0 192.168.10.254
Could we change that router IP to be 172.16.0.254
This is the IP of our router/gateway.
Would this work?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-02-2006 03:47 PM
тАО08-02-2006 03:47 PM
Re: VLAN Help Tagging/Untagging
Thanks for you to check after me, SEE no one perfect, ofcourse you should change the command (config)# ip route 0.0.0.0 0.0.0.0 192.168.10.254 to (config)# ip route 0.0.0.0 0.0.0.0 172.16.0.254 -- my Mistake.
Now, for the servers, YES definitely you can keep them with their existing IP Addresses , But in this case the ACL will be more complicated, so what i need from you is:
The IP addresses for every server you want People to access, so i can modify the ACLs and exclude these server to Permit.
Again points is our Thanks :)
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-02-2006 04:39 PM
тАО08-02-2006 04:39 PM
Re: VLAN Help Tagging/Untagging
I have changed alot in the Configuration, so delete the old Config. file, and check this one, and follow it stpe by step from from Edge to Core to Internet Router, all the sections changed.
Remember, no one prefect :)
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-02-2006 07:21 PM
тАО08-02-2006 07:21 PM
Re: VLAN Help Tagging/Untagging
VLAN100 = 172.16.0.X/16
VLAN400 = 172.16.0.X/24
For VLAN 400 I would use another subnet such as 192.168.1.0/24 instead.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-02-2006 11:41 PM
тАО08-02-2006 11:41 PM
Re: VLAN Help Tagging/Untagging
Once again, thanks for your time in helping me out on this. Great help so far!!
Anyways... my Server IP's are as follows...
Server1 = 172.16.0.1 - Port E1 - Access needed from VLAN100, VLAN200 and VLAN400
Server2 = 172.16.0.2 - Port E2 - Access needed from VLAN100, VLAN200 and VLAN400
Office/Admin Server = 192.168.0.1 - Port E3 - Access only needed from VLAN200
E-Mail Server = 172.16.0.5 - Port E4 - Access needed from ALL VLANs.
Proxy1 = 172.16.0.253 - Port C1 - Access needed from ALL VLANs.
Proxy2/Internet Gateway = 172.16.0.254 - Port C2 - Access needed from ALL VLANs.
Web Development Server = 172.16.0.9 - Port C3 - Access needed from ALL VLANs.
Multimedia Server = 172.16.0.17 - Port C4 - Access needed from ALL VLANs.
Content Filtering Server = 172.16.0.7 - Port C5 - Access needed from just VLAN100.
WAP Server (DHCP) = 10.0.0.1 - Port D19 - Access from just VLAN300.
All VLANs need internet access too.
Really hope this helps you out more. If you need more info, please let me know and i can supply more.
Again, thansk very much for the time and effort. :-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2006 12:01 AM
тАО08-03-2006 12:01 AM
Re: VLAN Help Tagging/Untagging
I guess then, i have to rebuild the ACLs from the beginning, but i think the configuration is correct , and since i explained to you how to do it so you better start do the configuration.
I will work on the ACL and will get to you soon, mean while you can test the latests configuration i attached without applying the ACL, leave this untill i update you with latest :)
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2006 12:09 AM
тАО08-03-2006 12:09 AM
Re: VLAN Help Tagging/Untagging
I noticed most of your servers are in Vlan400, so you think changing is ok with you ???
Inform me so i can build the ACLs
good luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2006 12:11 AM
тАО08-03-2006 12:11 AM
Re: VLAN Help Tagging/Untagging
One other little hurdle I have came up with is our access points. The way we wish to set them up is so that VLAN300 is totally seperate from the rest of the network with only access to the "WAP Server (DHCP) = 10.0.0.1 - Port D19" and the Internet Gateway (172.16.0.254 on VLAN100). But the problem is we have 10 laptops which need to join VLAN100 as they use Server1 (on VLAN100)for their DHCP instead of the 'WAP Server' (on VLAN300).
So is there any way of just letting those 10 laptops access VLAN100 and deny the rest of the laptops? MAC Address method or anything like that?
Sorry for confusing matters further... it just seems to get more complex. :-(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2006 12:12 AM
тАО08-03-2006 12:12 AM
Re: VLAN Help Tagging/Untagging
Most of the servers are all in VLAN100 on the 172.16.0.x/16 range.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2006 08:39 AM
тАО08-03-2006 08:39 AM
Re: VLAN Help Tagging/Untagging
I prepared the new ACLs that fit your requirements, but PLEASE double check them and let us know if you have any problem with them:
----VLAN100----
(config)# access-list 100 permit ip any host 172.16.0.x --- Permit Server1
(config)# access-list 100 permit ip any host 172.16.0.y --- Permit Server2
(config)# access-list 100 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200
(config)# access-list 100 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 100 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400
(config)# access-list 100 permit ip any any --- permit other traffic
(Config)# vlan 100 ip access-group 100 in --- apply ACL 100 to Vlan100
----VLAN200----
(config)# access-list 200 permit ip host 172.16.0.x any --- Permit Server1
(config)# access-list 200 permit ip host 172.16.0.y any --- Permit Server2
(config)# access-list 200 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100
(config)# access-list 200 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 200 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400
(config)# access-list 200 permit ip any any --- permit other traffic
(Config)# vlan 200 ip access-group 200 in --- apply ACL 200 to Vlan200
----VLAN300----
DHCP Server is allowed to Vlan300 since its in the came Vlan, we need to permit only Internet:
(config)# access-list 3 permit 172.16.0.254 --- Permit Internet
(Config)# vlan 300 ip access-group 3 in --- apply ACL 3 to Vlan300
----VLAN400----
(config)# access-list 400 permit ip host 172.16.0.x any --- Permit Server1
(config)# access-list 400 permit ip host 172.16.0.y any --- Permit Server2
(config)# access-list 400 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100
(config)# access-list 400 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200
(config)# access-list 400 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 400 permit ip any --- permit other traffic
(Config)# vlan 400 ip access-group 400 in --- apply ACL 400 to Vlan400
-----------------------------------------
Now for the Laptops, i prefer you reserve an IP address for each on your DHCP server using MAC addresses, and then permit them or deny them from any vlan you want, you just add to each ACL for EACH vlan the permit/deny at the BEGENNING of the ACL.
Example: access-list 3 permit host a.b.c.d
-----------------------------------------
I wish that this information are ufefull for your setup to make it proper, anyway if you have any thing let us know :)
Good Luck !!!