VLAN Access

Unanswered Question
Jul 29th, 2009

I have begun installing VLANs on a network. They had a 10.120.0.0/16 network before and it ran on VLAN 5. Printer computers wireless and other devices are on this network that is shared with 12 other building. The default router is in another county hich I have moved to the point of internet access. They have a gigabit connection connecting all the building together.

I am putting a /16 subnet at each building and the whole network will be route able using 10.0.0.0/10.

The building I am currently working on has a network of 10.19.0.0/16. I setup a lab 10.19.19.0/24 and everything is working with DHCP, DNS, Imaging and logging and have statically set the VLANs on the switches, VLAN 25. But the admin here wants to use the network 10.120.5.0 an address on VLAN 5, to go around filters for workstations installing updates and other issue that might a rise with the filters. They need to use this at all the building. There is a route in the firewall that will allow this schema out and forces everyone else to the filters.

The problem is when he put the IP 10.120.5.10 /16 gateway 10.120.1.1 on the machine their are not able to connect. This is do to it being on the VLAN 25. How can their access this schema to go around the filters?

I can setup the route on the firewall but don't want to have to make a block for ever lab to allow unlimit access if someone can figure that out.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Thu, 07/30/2009 - 13:08

Hello,

I am sorry but I do not quite follow you. Are you saying that the computers are in VLAN25 but the administrator is in VLAN5 and wants to have unlimited access to machines in the VLAN25?

Please try to reexplain - perhaps a brief example in means of IP addresses and VLANs would be helpful.

Best regards,

Peter

o.primous Thu, 07/30/2009 - 19:07

The problem is their network is on a flat 10.120.0.0/16 network for the 12 location. The were complaining about poor speed and performance, so I created a lab to show them how it could help with both and be managed. That's when they freaked about not able to use the 10.120.5.0/16 IPs.

On there 10.120.0.0/16 network, they had the range 10.120.5.0/24 that allowed them out to the internet without a filter. This is used for tech support through out the company for troubleshooting. I guess they have problems with their proxy servers a lot. On the firewall on the inside interface they have;

access-list 120 permit ip 10.120.2.0 255.255.255.0 any

access-list 120 permit ip 10.120.3.0 255.255.255.0 any

access-list 120 permit ip 10.120.4.0 255.255.255.0 any

access-list 120 permit ip 10.120.5.0 255.255.255.0 any

access-list 120 deny ip 10.120.0.0 255.255.0.0 any

nat (in) 1 0.0.0.0 0.0.0.0

global (out) 1 10.120.2.1-10.120.2.254

global (out) 1 10.120.3.1-10.120.3.254

global (out) 1 interface

But I can't get out using the 10.19.0.0/16 network.

I recently found out that the ISP had given them the 10.120.0.0/16 address. The internet provider is hosting some of there Database servers. I can not access the databases or internet without going through the internal Proxy. It is in the access list allowed out.

With all that, the basic question is how can I make a way for them to get around the filters if I have lets say 50 VLANs that are /24. I don't want to make a group in the range and they don't want to have change VLANs back and forth. I don't know of anything that can be configured on the switches to allow it.

I don't think there's anything they can do, besides make another proxy server and have it open.

The equipment in use are:

PIX525

6500 sw

3560 sw

2960 sw

Also using cisco phones but thats on a differnt VLAN.

Actions

This Discussion