Vlan on Catalyst 3750

Unanswered Question
Mar 26th, 2008
User Badges:

I have created a new vlan, vlan 5, on a catalyst 3750 including 3 ports. Only ports on this switch will be in this vlan. My next step, or so I thought, would be to assign an ip address to this vlan. With this in mind, do I have to create an additional subnet for this vlan?


Vlan 5 will have ip phones and the phone server on it, nothing more. I would like to be able to access the web interface of the phone server from outside of vlan 5. I would also like the phone server to have access to a gateway. The phones should only need to communicate with the phone server. Any thoughts on how best to accomplish this would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 03/26/2008 - 06:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you need to use a new IP subnet. So for example


int vlan 5

ip address 192.168.5.1 255.255.255.240

no shut


Each device in vlan 5 should be given address from the 192.168.5.0/28 subnet. Default-gateway of devices will be 192.168.5.1.


Then


access-list 101 permit tcp any host eq http


access-list 102 permit tcp/udp host host eq "port num"


int vlan 5

ip access-group 101 out

ip access-group 102 in


Couple of things


1) You need to define tcp/udp and port nums for access-list 102.

2) There is an explicit deny at the end of each access-list so these are only allowing the traffic you said you wanted. If other traffic is needed you will need to add this in to the access-list.


HTH


Jon

QuikeyMan_2 Wed, 03/26/2008 - 06:41
User Badges:

I do not know where to begin to create an additional subnet. Our network currently consists of one. Do I need to figure out the host range of the current subnet, and then base the new subnet off that?

Jon Marshall Wed, 03/26/2008 - 06:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay we need to be a bit careful as we don't want to break your existing network.


What is the subnet range on your existing network ?


Can you post the config of your 3750 switch ?


Jon

QuikeyMan_2 Wed, 03/26/2008 - 07:21
User Badges:

How would I determine the subnet range? Would I use the private address and subnet mask of the router?

Jon Marshall Wed, 03/26/2008 - 07:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Which router ?. Do you have a separate router than the 3750 switch ?


You can go onto one of your clients and assuming it is windows of some sort at the cmd prompt type "ipconfig" and post result.


We really need to understand your network layout though otherwise any suggestions made could end up breaking what you already have.


Jon

QuikeyMan_2 Wed, 03/26/2008 - 07:29
User Badges:

Host range 172.20.4.1 - 172.20.7.254 given my private ip of 172.20.5.151 255.255.252.0.



QuikeyMan_2 Wed, 03/26/2008 - 08:30
User Badges:

Given the current host range, how would I go about setting up an additional subnet?

QuikeyMan_2 Wed, 03/26/2008 - 11:25
User Badges:

Given the current subnet ranges from 172.20.4.1 - 172.20.7.254, I used the same subnet mask and now have an additional subnet with the range of 172.20.8.1 - 172.20.11.254. I then set the ip address of vlan5 to 172.20.8.98/22.

QuikeyMan_2 Wed, 03/26/2008 - 13:46
User Badges:

Here is the requested config, keep in mind IP address associated with vlan 5 was added later today.



1535-SW01>en

Password:

1535-SW01#sh run

Building configuration...


Current configuration : 3742 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 1535-SW01

!

enable secret 5 $12345$

enable password

!

no aaa new-model

ip subnet-zero

ip routing

!

ip dhcp snooping

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

spanning-tree portfast

!

interface GigabitEthernet0/2

spanning-tree portfast

!

interface GigabitEthernet0/3

spanning-tree portfast

!

interface GigabitEthernet0/4

spanning-tree portfast

!

interface GigabitEthernet0/5

spanning-tree portfast

!

interface GigabitEthernet0/6

spanning-tree portfast

!

interface GigabitEthernet0/7

spanning-tree portfast

!

interface GigabitEthernet0/8

spanning-tree portfast

!

interface GigabitEthernet0/9

spanning-tree portfast

!

interface GigabitEthernet0/10

spanning-tree portfast

!

interface GigabitEthernet0/11

spanning-tree portfast

!

interface GigabitEthernet0/12

spanning-tree portfast

!

interface GigabitEthernet0/13

spanning-tree portfast

!

interface GigabitEthernet0/14

spanning-tree portfast

!

interface GigabitEthernet0/15

spanning-tree portfast

!

interface GigabitEthernet0/16

spanning-tree portfast

!

interface GigabitEthernet0/17

spanning-tree portfast

!

interface GigabitEthernet0/18

spanning-tree portfast

!

interface GigabitEthernet0/19

spanning-tree portfast

!

interface GigabitEthernet0/20

spanning-tree portfast

!

interface GigabitEthernet0/21

spanning-tree portfast

!

interface GigabitEthernet0/22

spanning-tree portfast

!

interface GigabitEthernet0/23

spanning-tree portfast

!

interface GigabitEthernet0/24

spanning-tree portfast

!

interface GigabitEthernet0/25

spanning-tree portfast

!

interface GigabitEthernet0/26

spanning-tree portfast

!

interface GigabitEthernet0/27

spanning-tree portfast

!

interface GigabitEthernet0/28

spanning-tree portfast

!

interface GigabitEthernet0/29

spanning-tree portfast

!

interface GigabitEthernet0/30

spanning-tree portfast

!

interface GigabitEthernet0/31

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/32

spanning-tree portfast

!

interface GigabitEthernet0/33

spanning-tree portfast

!

interface GigabitEthernet0/34

spanning-tree portfast

!

interface GigabitEthernet0/35

spanning-tree portfast

!

interface GigabitEthernet0/36

spanning-tree portfast

!

interface GigabitEthernet0/37

spanning-tree portfast

!

interface GigabitEthernet0/38

spanning-tree portfast

!

interface GigabitEthernet0/39

spanning-tree portfast

!

interface GigabitEthernet0/40

spanning-tree portfast

!

interface GigabitEthernet0/41

spanning-tree portfast

!

interface GigabitEthernet0/42

spanning-tree portfast

!

interface GigabitEthernet0/43

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/44

spanning-tree portfast

!

interface GigabitEthernet0/45

spanning-tree portfast

!

interface GigabitEthernet0/46

spanning-tree portfast

!

interface GigabitEthernet0/47

spanning-tree portfast

!

interface GigabitEthernet0/48

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/49

!

interface GigabitEthernet0/50

!

interface GigabitEthernet0/51

!

interface GigabitEthernet0/52

!

interface Vlan1

ip address 172.20.4.98 255.255.252.0

!

interface Vlan5

ip address 172.20.8.98 255.255.252.0

ip access-group 101 out

!

interface Vlan10

no ip address

!

ip classless

ip http server

!

access-list 101 permit tcp any host 172.20.8.17 eq www

!

control-plane

!

!

line con 0

line vty 0 4

password keytag!

no login

line vty 5 15

password keytag!

no login

!

end


1535-SW01#


evsrajatgupta Wed, 03/26/2008 - 07:08
User Badges:

Hi QuikeyMan,

I do agree with Jon, as per the Cisco guide lines (per Vlan per subnet).

But thing do work otherwise like many Vlan per subnet.E.g Like a subnet 192.168.0.0/22

We can have vlan ip address as 192.168.1.1/22 and 192.168.2.0/22 and so on.


You can also user the DHCP server for the IP Phone. Use the command IP helper address. Do remember you have to fellow PER scope per vlan rule on the DHCP server.


One more thing I think you can access the web interface of the IP phone with out the ACL. I have work with cisco 7940 and 7960 Ip Phone. And to access the ser to type http://ip address of the Phone. I have never config any thing on the switch for it.


QuikeyMan_2 Wed, 03/26/2008 - 07:54
User Badges:

To give more information as to how our network is set up:


we have a cisco 2801 router with an ASA5510 as our firewall. There are 4 catalyst 3750 switches on our network. I am only concerned with creating a vlan utilizing ports on one switch.

Actions

This Discussion