cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
615
Views
0
Helpful
11
Replies

Vlan on Catalyst 3750

QuikeyMan_2
Level 1
Level 1

I have created a new vlan, vlan 5, on a catalyst 3750 including 3 ports. Only ports on this switch will be in this vlan. My next step, or so I thought, would be to assign an ip address to this vlan. With this in mind, do I have to create an additional subnet for this vlan?

Vlan 5 will have ip phones and the phone server on it, nothing more. I would like to be able to access the web interface of the phone server from outside of vlan 5. I would also like the phone server to have access to a gateway. The phones should only need to communicate with the phone server. Any thoughts on how best to accomplish this would be appreciated.

11 Replies 11

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Yes you need to use a new IP subnet. So for example

int vlan 5

ip address 192.168.5.1 255.255.255.240

no shut

Each device in vlan 5 should be given address from the 192.168.5.0/28 subnet. Default-gateway of devices will be 192.168.5.1.

Then

access-list 101 permit tcp any host eq http

access-list 102 permit tcp/udp host host eq "port num"

int vlan 5

ip access-group 101 out

ip access-group 102 in

Couple of things

1) You need to define tcp/udp and port nums for access-list 102.

2) There is an explicit deny at the end of each access-list so these are only allowing the traffic you said you wanted. If other traffic is needed you will need to add this in to the access-list.

HTH

Jon

I do not know where to begin to create an additional subnet. Our network currently consists of one. Do I need to figure out the host range of the current subnet, and then base the new subnet off that?

Okay we need to be a bit careful as we don't want to break your existing network.

What is the subnet range on your existing network ?

Can you post the config of your 3750 switch ?

Jon

How would I determine the subnet range? Would I use the private address and subnet mask of the router?

Which router ?. Do you have a separate router than the 3750 switch ?

You can go onto one of your clients and assuming it is windows of some sort at the cmd prompt type "ipconfig" and post result.

We really need to understand your network layout though otherwise any suggestions made could end up breaking what you already have.

Jon

Host range 172.20.4.1 - 172.20.7.254 given my private ip of 172.20.5.151 255.255.252.0.

Given the current host range, how would I go about setting up an additional subnet?

Given the current subnet ranges from 172.20.4.1 - 172.20.7.254, I used the same subnet mask and now have an additional subnet with the range of 172.20.8.1 - 172.20.11.254. I then set the ip address of vlan5 to 172.20.8.98/22.

Here is the requested config, keep in mind IP address associated with vlan 5 was added later today.

1535-SW01>en

Password:

1535-SW01#sh run

Building configuration...

Current configuration : 3742 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 1535-SW01

!

enable secret 5 $12345$

enable password

!

no aaa new-model

ip subnet-zero

ip routing

!

ip dhcp snooping

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

spanning-tree portfast

!

interface GigabitEthernet0/2

spanning-tree portfast

!

interface GigabitEthernet0/3

spanning-tree portfast

!

interface GigabitEthernet0/4

spanning-tree portfast

!

interface GigabitEthernet0/5

spanning-tree portfast

!

interface GigabitEthernet0/6

spanning-tree portfast

!

interface GigabitEthernet0/7

spanning-tree portfast

!

interface GigabitEthernet0/8

spanning-tree portfast

!

interface GigabitEthernet0/9

spanning-tree portfast

!

interface GigabitEthernet0/10

spanning-tree portfast

!

interface GigabitEthernet0/11

spanning-tree portfast

!

interface GigabitEthernet0/12

spanning-tree portfast

!

interface GigabitEthernet0/13

spanning-tree portfast

!

interface GigabitEthernet0/14

spanning-tree portfast

!

interface GigabitEthernet0/15

spanning-tree portfast

!

interface GigabitEthernet0/16

spanning-tree portfast

!

interface GigabitEthernet0/17

spanning-tree portfast

!

interface GigabitEthernet0/18

spanning-tree portfast

!

interface GigabitEthernet0/19

spanning-tree portfast

!

interface GigabitEthernet0/20

spanning-tree portfast

!

interface GigabitEthernet0/21

spanning-tree portfast

!

interface GigabitEthernet0/22

spanning-tree portfast

!

interface GigabitEthernet0/23

spanning-tree portfast

!

interface GigabitEthernet0/24

spanning-tree portfast

!

interface GigabitEthernet0/25

spanning-tree portfast

!

interface GigabitEthernet0/26

spanning-tree portfast

!

interface GigabitEthernet0/27

spanning-tree portfast

!

interface GigabitEthernet0/28

spanning-tree portfast

!

interface GigabitEthernet0/29

spanning-tree portfast

!

interface GigabitEthernet0/30

spanning-tree portfast

!

interface GigabitEthernet0/31

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/32

spanning-tree portfast

!

interface GigabitEthernet0/33

spanning-tree portfast

!

interface GigabitEthernet0/34

spanning-tree portfast

!

interface GigabitEthernet0/35

spanning-tree portfast

!

interface GigabitEthernet0/36

spanning-tree portfast

!

interface GigabitEthernet0/37

spanning-tree portfast

!

interface GigabitEthernet0/38

spanning-tree portfast

!

interface GigabitEthernet0/39

spanning-tree portfast

!

interface GigabitEthernet0/40

spanning-tree portfast

!

interface GigabitEthernet0/41

spanning-tree portfast

!

interface GigabitEthernet0/42

spanning-tree portfast

!

interface GigabitEthernet0/43

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/44

spanning-tree portfast

!

interface GigabitEthernet0/45

spanning-tree portfast

!

interface GigabitEthernet0/46

spanning-tree portfast

!

interface GigabitEthernet0/47

spanning-tree portfast

!

interface GigabitEthernet0/48

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/49

!

interface GigabitEthernet0/50

!

interface GigabitEthernet0/51

!

interface GigabitEthernet0/52

!

interface Vlan1

ip address 172.20.4.98 255.255.252.0

!

interface Vlan5

ip address 172.20.8.98 255.255.252.0

ip access-group 101 out

!

interface Vlan10

no ip address

!

ip classless

ip http server

!

access-list 101 permit tcp any host 172.20.8.17 eq www

!

control-plane

!

!

line con 0

line vty 0 4

password keytag!

no login

line vty 5 15

password keytag!

no login

!

end

1535-SW01#

evsrajatgupta
Level 1
Level 1

Hi QuikeyMan,

I do agree with Jon, as per the Cisco guide lines (per Vlan per subnet).

But thing do work otherwise like many Vlan per subnet.E.g Like a subnet 192.168.0.0/22

We can have vlan ip address as 192.168.1.1/22 and 192.168.2.0/22 and so on.

You can also user the DHCP server for the IP Phone. Use the command IP helper address. Do remember you have to fellow PER scope per vlan rule on the DHCP server.

One more thing I think you can access the web interface of the IP phone with out the ACL. I have work with cisco 7940 and 7960 Ip Phone. And to access the ser to type http://ip address of the Phone. I have never config any thing on the switch for it.

QuikeyMan_2
Level 1
Level 1

To give more information as to how our network is set up:

we have a cisco 2801 router with an ASA5510 as our firewall. There are 4 catalyst 3750 switches on our network. I am only concerned with creating a vlan utilizing ports on one switch.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco