I have a single server to which I need to limit access. Without completely tearing down and rebuilding my network with proper segmentation (which I plan on doing next year) is there a way I can do this with my current equipment and layout? I have:
*1 subnet (192.168.0.1) for LAN which includes servers, printers, and PCs
*3548XL Catalyst switches
*1 2811 router
Then things are a lot simpler.
Do you know which vlan all the ports are in on your 3548 switch ? Please post output of
3548# sh vlan
To then create a new vlan that is routed these are the basic steps
1) Choose a new IP subnet - eg. 192.168.5.0/24
2) Allocate .1 from that subnet onto the fe0/1 interface on your 2811
ip address 192.168.5.1 255.255.255.0
3) Create a new L2 vlan on your 3548 switch - we'll use vlan 2 as an example -
3548# vlan database
3548(vlan)# vlan 2 name server_vlan
4) Allocate the port on the switch that the 2811 fe0/1 interface connects to into vlan 2
3548(config-if)# switchport access vlan 2
5) Any machines you want to move into vlan 2 you can then do step 4 for the ports that these machines connect into.
These machines will need an IP address from the 192.168.5.x range and will have their default-gateway set to 192.168.5.1 (fa0/1 interface on 2811).
After that you can then use extended access-lists to control traffic between your 2 vlans and these access-lists would be applied to the 2811 interface.
If you need help with the access-lists once you have done the above let us know.