03-26-2008 06:19 AM - edited 03-05-2019 09:59 PM
I have created a new vlan, vlan 5, on a catalyst 3750 including 3 ports. Only ports on this switch will be in this vlan. My next step, or so I thought, would be to assign an ip address to this vlan. With this in mind, do I have to create an additional subnet for this vlan?
Vlan 5 will have ip phones and the phone server on it, nothing more. I would like to be able to access the web interface of the phone server from outside of vlan 5. I would also like the phone server to have access to a gateway. The phones should only need to communicate with the phone server. Any thoughts on how best to accomplish this would be appreciated.
03-26-2008 06:26 AM
Hi
Yes you need to use a new IP subnet. So for example
int vlan 5
ip address 192.168.5.1 255.255.255.240
no shut
Each device in vlan 5 should be given address from the 192.168.5.0/28 subnet. Default-gateway of devices will be 192.168.5.1.
Then
access-list 101 permit tcp any host
access-list 102 permit tcp/udp host
int vlan 5
ip access-group 101 out
ip access-group 102 in
Couple of things
1) You need to define tcp/udp and port nums for access-list 102.
2) There is an explicit deny at the end of each access-list so these are only allowing the traffic you said you wanted. If other traffic is needed you will need to add this in to the access-list.
HTH
Jon
03-26-2008 06:41 AM
I do not know where to begin to create an additional subnet. Our network currently consists of one. Do I need to figure out the host range of the current subnet, and then base the new subnet off that?
03-26-2008 06:49 AM
Okay we need to be a bit careful as we don't want to break your existing network.
What is the subnet range on your existing network ?
Can you post the config of your 3750 switch ?
Jon
03-26-2008 07:21 AM
How would I determine the subnet range? Would I use the private address and subnet mask of the router?
03-26-2008 07:24 AM
Which router ?. Do you have a separate router than the 3750 switch ?
You can go onto one of your clients and assuming it is windows of some sort at the cmd prompt type "ipconfig" and post result.
We really need to understand your network layout though otherwise any suggestions made could end up breaking what you already have.
Jon
03-26-2008 07:29 AM
Host range 172.20.4.1 - 172.20.7.254 given my private ip of 172.20.5.151 255.255.252.0.
03-26-2008 08:30 AM
Given the current host range, how would I go about setting up an additional subnet?
03-26-2008 11:25 AM
Given the current subnet ranges from 172.20.4.1 - 172.20.7.254, I used the same subnet mask and now have an additional subnet with the range of 172.20.8.1 - 172.20.11.254. I then set the ip address of vlan5 to 172.20.8.98/22.
03-26-2008 01:46 PM
Here is the requested config, keep in mind IP address associated with vlan 5 was added later today.
1535-SW01>en
Password:
1535-SW01#sh run
Building configuration...
Current configuration : 3742 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1535-SW01
!
enable secret 5 $12345$
enable password
!
no aaa new-model
ip subnet-zero
ip routing
!
ip dhcp snooping
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
spanning-tree portfast
!
interface GigabitEthernet0/2
spanning-tree portfast
!
interface GigabitEthernet0/3
spanning-tree portfast
!
interface GigabitEthernet0/4
spanning-tree portfast
!
interface GigabitEthernet0/5
spanning-tree portfast
!
interface GigabitEthernet0/6
spanning-tree portfast
!
interface GigabitEthernet0/7
spanning-tree portfast
!
interface GigabitEthernet0/8
spanning-tree portfast
!
interface GigabitEthernet0/9
spanning-tree portfast
!
interface GigabitEthernet0/10
spanning-tree portfast
!
interface GigabitEthernet0/11
spanning-tree portfast
!
interface GigabitEthernet0/12
spanning-tree portfast
!
interface GigabitEthernet0/13
spanning-tree portfast
!
interface GigabitEthernet0/14
spanning-tree portfast
!
interface GigabitEthernet0/15
spanning-tree portfast
!
interface GigabitEthernet0/16
spanning-tree portfast
!
interface GigabitEthernet0/17
spanning-tree portfast
!
interface GigabitEthernet0/18
spanning-tree portfast
!
interface GigabitEthernet0/19
spanning-tree portfast
!
interface GigabitEthernet0/20
spanning-tree portfast
!
interface GigabitEthernet0/21
spanning-tree portfast
!
interface GigabitEthernet0/22
spanning-tree portfast
!
interface GigabitEthernet0/23
spanning-tree portfast
!
interface GigabitEthernet0/24
spanning-tree portfast
!
interface GigabitEthernet0/25
spanning-tree portfast
!
interface GigabitEthernet0/26
spanning-tree portfast
!
interface GigabitEthernet0/27
spanning-tree portfast
!
interface GigabitEthernet0/28
spanning-tree portfast
!
interface GigabitEthernet0/29
spanning-tree portfast
!
interface GigabitEthernet0/30
spanning-tree portfast
!
interface GigabitEthernet0/31
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/32
spanning-tree portfast
!
interface GigabitEthernet0/33
spanning-tree portfast
!
interface GigabitEthernet0/34
spanning-tree portfast
!
interface GigabitEthernet0/35
spanning-tree portfast
!
interface GigabitEthernet0/36
spanning-tree portfast
!
interface GigabitEthernet0/37
spanning-tree portfast
!
interface GigabitEthernet0/38
spanning-tree portfast
!
interface GigabitEthernet0/39
spanning-tree portfast
!
interface GigabitEthernet0/40
spanning-tree portfast
!
interface GigabitEthernet0/41
spanning-tree portfast
!
interface GigabitEthernet0/42
spanning-tree portfast
!
interface GigabitEthernet0/43
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/44
spanning-tree portfast
!
interface GigabitEthernet0/45
spanning-tree portfast
!
interface GigabitEthernet0/46
spanning-tree portfast
!
interface GigabitEthernet0/47
spanning-tree portfast
!
interface GigabitEthernet0/48
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/49
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
ip address 172.20.4.98 255.255.252.0
!
interface Vlan5
ip address 172.20.8.98 255.255.252.0
ip access-group 101 out
!
interface Vlan10
no ip address
!
ip classless
ip http server
!
access-list 101 permit tcp any host 172.20.8.17 eq www
!
control-plane
!
!
line con 0
line vty 0 4
password keytag!
no login
line vty 5 15
password keytag!
no login
!
end
1535-SW01#
03-26-2008 07:08 AM
Hi QuikeyMan,
I do agree with Jon, as per the Cisco guide lines (per Vlan per subnet).
But thing do work otherwise like many Vlan per subnet.E.g Like a subnet 192.168.0.0/22
We can have vlan ip address as 192.168.1.1/22 and 192.168.2.0/22 and so on.
You can also user the DHCP server for the IP Phone. Use the command IP helper address. Do remember you have to fellow PER scope per vlan rule on the DHCP server.
One more thing I think you can access the web interface of the IP phone with out the ACL. I have work with cisco 7940 and 7960 Ip Phone. And to access the ser to type http://ip address of the Phone. I have never config any thing on the switch for it.
03-26-2008 07:54 AM
To give more information as to how our network is set up:
we have a cisco 2801 router with an ASA5510 as our firewall. There are 4 catalyst 3750 switches on our network. I am only concerned with creating a vlan utilizing ports on one switch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide