Seperate Lans

Unanswered Question
Oct 10th, 2008


i am fairly new to cisco but i think im now in a position where im ready to make a network. I am required to setup the following:

1. Office Network

2. Web Network

Both networks must be on separate IP ranges, i want my office network to be able to talk to my Web network but my Web network should not be able to talk to my Office network.

I will set it up so that people externally can access the web network.

We currently have no Cisco equipment in my work place but and i intend to purchase a Cisco switch and segment that into VLANS and a cisco router so that i can manage what traffic gets through to my WEB network. Does this sound feasible?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gerald Vogt Fri, 10/10/2008 - 03:29

Yes. That is how you can do it. You set up two VLANs with two IP subnets. On the router you filter traffic between the office and web network. You could use the CBAC firewall or zone-based firewall depending on the router and IOS version.

If you have a public subnet available you can use this for the web network. If you have to use private IP addresses you set up NAT and static PAT for the access to the web network from the internet.

You do not even need a VLAN switch for this purpose. A single VLAN router could be enough. You can run each VLAN from different ports on the router. Of course, then you always have to check where you connect a device to make sure it goes into the correct VLAN so a VLAN switch make come handy.

awdscot83 Fri, 10/10/2008 - 04:29

Thanks for the reply.

What sort of single VLAN router would do this job, and what sort of VLAN router should i go for in general?

Are these firewall options both built into most Cisco routers?

Thanks for your reply, much appreciated. Is there anywhere in particular i could look/ find details about a similar setup?

Gerald Vogt Fri, 10/10/2008 - 18:42

The best place to ask would be a Cisco partner or whereever you want to buy the devices.

I have a 1812 router and I know you can set it up on that. I think the 800 series should do it, too.

The zone based firewall was only recently added in the IOS 12.4T. CBAC firewall should be in all version you can buy today.

All the documentation for the Cisco routers is available online. Search for zone-based firewall or cbac. Some quick pointers:

Look for "DMZ" in both. The second page is very long. See the "Ethernet Interface Configuration Example" for a start. CBAC has a lot of configuration options but that example shows the basic setup which is fairly easy and simple to understand.


This Discussion