Switches, Hubs, and Modems
1748169 Members
4259 Online
108758 Solutions
New Discussion юеВ

Re: VLAN Help Tagging/Untagging

 
SOLVED
Go to solution
Chris Boundey
Advisor

Re: VLAN Help Tagging/Untagging

Also, your step 3 in your 2nd config...

3- Enable Route to Internet:
(config)# ip route 0.0.0.0 0.0.0.0 192.168.10.254

Could we change that router IP to be 172.16.0.254

This is the IP of our router/gateway.

Would this work?
Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

Hi

Thanks for you to check after me, SEE no one perfect, ofcourse you should change the command (config)# ip route 0.0.0.0 0.0.0.0 192.168.10.254 to (config)# ip route 0.0.0.0 0.0.0.0 172.16.0.254 -- my Mistake.

Now, for the servers, YES definitely you can keep them with their existing IP Addresses , But in this case the ACL will be more complicated, so what i need from you is:
The IP addresses for every server you want People to access, so i can modify the ACLs and exclude these server to Permit.

Again points is our Thanks :)

Good Luck !!!

Science for Everyone
Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

Hi Chris

I have changed alot in the Configuration, so delete the old Config. file, and check this one, and follow it stpe by step from from Edge to Core to Internet Router, all the sections changed.

Remember, no one prefect :)

Good Luck !!!
Science for Everyone
Matt Hobbs
Honored Contributor

Re: VLAN Help Tagging/Untagging

I would try and avoid using the overlapping addresses on VLAN 400:

VLAN100 = 172.16.0.X/16
VLAN400 = 172.16.0.X/24

For VLAN 400 I would use another subnet such as 192.168.1.0/24 instead.
Chris Boundey
Advisor

Re: VLAN Help Tagging/Untagging

Hi Mohieddin,

Once again, thanks for your time in helping me out on this. Great help so far!!

Anyways... my Server IP's are as follows...

Server1 = 172.16.0.1 - Port E1 - Access needed from VLAN100, VLAN200 and VLAN400

Server2 = 172.16.0.2 - Port E2 - Access needed from VLAN100, VLAN200 and VLAN400

Office/Admin Server = 192.168.0.1 - Port E3 - Access only needed from VLAN200

E-Mail Server = 172.16.0.5 - Port E4 - Access needed from ALL VLANs.

Proxy1 = 172.16.0.253 - Port C1 - Access needed from ALL VLANs.

Proxy2/Internet Gateway = 172.16.0.254 - Port C2 - Access needed from ALL VLANs.

Web Development Server = 172.16.0.9 - Port C3 - Access needed from ALL VLANs.

Multimedia Server = 172.16.0.17 - Port C4 - Access needed from ALL VLANs.

Content Filtering Server = 172.16.0.7 - Port C5 - Access needed from just VLAN100.

WAP Server (DHCP) = 10.0.0.1 - Port D19 - Access from just VLAN300.


All VLANs need internet access too.

Really hope this helps you out more. If you need more info, please let me know and i can supply more.

Again, thansk very much for the time and effort. :-)

Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

Hi

I guess then, i have to rebuild the ACLs from the beginning, but i think the configuration is correct , and since i explained to you how to do it so you better start do the configuration.

I will work on the ACL and will get to you soon, mean while you can test the latests configuration i attached without applying the ACL, leave this untill i update you with latest :)

Good Luck !!!
Science for Everyone
Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

And i would recommend what Matt already did, to change the IP address of Vlan400 to avoide overlapping.
I noticed most of your servers are in Vlan400, so you think changing is ok with you ???

Inform me so i can build the ACLs

good luck !!!
Science for Everyone
Chris Boundey
Advisor

Re: VLAN Help Tagging/Untagging

Will do... thank you very much!

One other little hurdle I have came up with is our access points. The way we wish to set them up is so that VLAN300 is totally seperate from the rest of the network with only access to the "WAP Server (DHCP) = 10.0.0.1 - Port D19" and the Internet Gateway (172.16.0.254 on VLAN100). But the problem is we have 10 laptops which need to join VLAN100 as they use Server1 (on VLAN100)for their DHCP instead of the 'WAP Server' (on VLAN300).

So is there any way of just letting those 10 laptops access VLAN100 and deny the rest of the laptops? MAC Address method or anything like that?

Sorry for confusing matters further... it just seems to get more complex. :-(
Chris Boundey
Advisor

Re: VLAN Help Tagging/Untagging

Hi Mohieddin,

Most of the servers are all in VLAN100 on the 172.16.0.x/16 range.
Mohieddin Kharnoub
Honored Contributor

Re: VLAN Help Tagging/Untagging

Hi

I prepared the new ACLs that fit your requirements, but PLEASE double check them and let us know if you have any problem with them:

----VLAN100----

(config)# access-list 100 permit ip any host 172.16.0.x --- Permit Server1
(config)# access-list 100 permit ip any host 172.16.0.y --- Permit Server2

(config)# access-list 100 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200
(config)# access-list 100 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 100 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400
(config)# access-list 100 permit ip any any --- permit other traffic
(Config)# vlan 100 ip access-group 100 in --- apply ACL 100 to Vlan100

----VLAN200----

(config)# access-list 200 permit ip host 172.16.0.x any --- Permit Server1
(config)# access-list 200 permit ip host 172.16.0.y any --- Permit Server2

(config)# access-list 200 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100
(config)# access-list 200 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 200 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400
(config)# access-list 200 permit ip any any --- permit other traffic
(Config)# vlan 200 ip access-group 200 in --- apply ACL 200 to Vlan200

----VLAN300----

DHCP Server is allowed to Vlan300 since its in the came Vlan, we need to permit only Internet:

(config)# access-list 3 permit 172.16.0.254 --- Permit Internet
(Config)# vlan 300 ip access-group 3 in --- apply ACL 3 to Vlan300

----VLAN400----

(config)# access-list 400 permit ip host 172.16.0.x any --- Permit Server1
(config)# access-list 400 permit ip host 172.16.0.y any --- Permit Server2

(config)# access-list 400 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100
(config)# access-list 400 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200
(config)# access-list 400 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300
(config)# access-list 400 permit ip any --- permit other traffic
(Config)# vlan 400 ip access-group 400 in --- apply ACL 400 to Vlan400
-----------------------------------------

Now for the Laptops, i prefer you reserve an IP address for each on your DHCP server using MAC addresses, and then permit them or deny them from any vlan you want, you just add to each ACL for EACH vlan the permit/deny at the BEGENNING of the ACL.

Example: access-list 3 permit host a.b.c.d
-----------------------------------------

I wish that this information are ufefull for your setup to make it proper, anyway if you have any thing let us know :)

Good Luck !!!
Science for Everyone