Inter-VLAN routing/Windows domain challenge

Unanswered Question
Dec 11th, 2008

i am new to cisco equipments, recently my company got a contract to network a factory which is fully automated with a brief to use cisco router and switches for the network. we came up with a solution to use Cisco 2811 multiservice router and 3 3560 Catalyst switch (the switches will be connected to each other).

We want to create three VLAN for the company;

-Office (48 LAN points to be deployed)

- Central Control (10 LAN points to be deployed)

- Laboratory (6 LAN Points to be deployed)

From the brief we are given, the client wants the Office (consisting of all Office workstation) to have access to the internet and the factory LAN. The Laboratory to have access to the factory network but no access to the internet.

The central control is where the factory can be controlled remotely (start up and shut down of engines/monitoring of equipment health), the central control must be reachable from the internet.

There is a network printer server and a windows server 2003 domain controller which must be available to everybody on the network.

1. My question is how do I achieved inter-vlan routing?

2. How do I make the Server 2003 domain contoller and the network printer server accessible to the 3 VLAN?

3. How do I secure the overall network?

4. How do I secure the Central Control VLAN from inside and outside threat?

5. Should the 2811 router handle the inter-vlan routing or the 3560 catalyst switch?

IP address for the VLANs;

- Office

- Central Control



Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Thu, 12/11/2008 - 13:45

Hello Gbenga,

your requirements can be satisfied.

internet access: only private addresses that are translated can access the internet so the selective access internet is provided by using an access-list for NAT that allows only office subnet.

1 & 5) you can achieve inter-vlan routing by using trunk ports: links that are able to carry frames that belong to vlans 10,20,30.

On the router side, for each vlan a router sub-interface is configured that provides L3 services.

You can also enable intervlan routing on each C3560 if supported.

2) this is normally done using WINS : now windows hosts are able to perform windows networking over TCP that means that is routable and they can be reached from different IP subnets

3) you should harden all the network devices, this is quite a broad subject the 2811 should have additional security features being the one facing the internet : CBAC could be a choice.

4) this can be part of the security plan

Hope to help



This Discussion