12-05-2008 09:00 AM - edited 03-06-2019 02:49 AM
I have a single server to which I need to limit access. Without completely tearing down and rebuilding my network with proper segmentation (which I plan on doing next year) is there a way I can do this with my current equipment and layout? I have:
*1 subnet (192.168.0.1) for LAN which includes servers, printers, and PCs
*3548XL Catalyst switches
*1 2811 router
Solved! Go to Solution.
12-05-2008 12:46 PM
Then things are a lot simpler.
Do you know which vlan all the ports are in on your 3548 switch ? Please post output of
3548# sh vlan
To then create a new vlan that is routed these are the basic steps
1) Choose a new IP subnet - eg. 192.168.5.0/24
2) Allocate .1 from that subnet onto the fe0/1 interface on your 2811
int fa0/1
ip address 192.168.5.1 255.255.255.0
no shut
3) Create a new L2 vlan on your 3548 switch - we'll use vlan 2 as an example -
3548# vlan database
3548(vlan)# vlan 2 name server_vlan
3548(vlan)# apply
4) Allocate the port on the switch that the 2811 fe0/1 interface connects to into vlan 2
3548(config)#int fa0/1
3548(config-if)# switchport access vlan 2
5) Any machines you want to move into vlan 2 you can then do step 4 for the ports that these machines connect into.
These machines will need an IP address from the 192.168.5.x range and will have their default-gateway set to 192.168.5.1 (fa0/1 interface on 2811).
After that you can then use extended access-lists to control traffic between your 2 vlans and these access-lists would be applied to the 2811 interface.
If you need help with the access-lists once you have done the above let us know.
Jon
12-05-2008 09:11 AM
Hello Quinton..
It is a tedious job to restrict access on layer 2.. you can use private VLANs, but you must be very sure of what traffic should flow between your end devices ! You can also use layer 2 or mac based vlans, but your switch seems to be too old for it ! try your luck.. see if you have "mac access-list" commands.. you can define these ACL's and apply it on the relevant port... This URL might help you:
I think you can bifurcate the LAN, instead of doing this complex stuff, and get it going on Layer 3 access-controls..
Hope this helps.. all the best..
Raj
12-05-2008 11:36 AM
That's what I was afraid of, but thanks for the answer. Can you point me to a good explanation on creating VLANs for my subnet so I can get this thing segmented?
12-05-2008 11:53 AM
Quinton
Here is a document showing how to use a switch and subinterfaces on a router to create and route between 2 vlans. If you have spare interface(s) on your 2811 then you don't need subinterfaces but i'm assuming you don't. (Note if you do let us know as it's a lot simpler).
Scroll down to the table showing 802.1q support in catalyst switches to make sure you have the correct IOS on your 3548XL. Also the router in this example doc is a 2600 but your 2800 will be fine -
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml
For each vlan you need a different IP subnet.
Jon
12-05-2008 12:35 PM
I'm not using the Fe0/1 on my 2811.
12-05-2008 12:46 PM
Then things are a lot simpler.
Do you know which vlan all the ports are in on your 3548 switch ? Please post output of
3548# sh vlan
To then create a new vlan that is routed these are the basic steps
1) Choose a new IP subnet - eg. 192.168.5.0/24
2) Allocate .1 from that subnet onto the fe0/1 interface on your 2811
int fa0/1
ip address 192.168.5.1 255.255.255.0
no shut
3) Create a new L2 vlan on your 3548 switch - we'll use vlan 2 as an example -
3548# vlan database
3548(vlan)# vlan 2 name server_vlan
3548(vlan)# apply
4) Allocate the port on the switch that the 2811 fe0/1 interface connects to into vlan 2
3548(config)#int fa0/1
3548(config-if)# switchport access vlan 2
5) Any machines you want to move into vlan 2 you can then do step 4 for the ports that these machines connect into.
These machines will need an IP address from the 192.168.5.x range and will have their default-gateway set to 192.168.5.1 (fa0/1 interface on 2811).
After that you can then use extended access-lists to control traffic between your 2 vlans and these access-lists would be applied to the 2811 interface.
If you need help with the access-lists once you have done the above let us know.
Jon
12-05-2008 12:54 PM
Extremely helpful, thank you! I'll work on this and post any other questions.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: