Add new VLAN

Unanswered Question
May 2nd, 2012

Hi all

I need help to create one new vlan that should not be reachable with any other vlan. All traffic from this vlan should be routed to dsl-internet router

vlan subnet - 192.168.200.0 255.255.255.0
DSL Router IP : 192.168.200.253 255.255.255.0

users on this subnet wil only access internet

current configuration

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname HQSACOREGW

! service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname BB0
!

interface Loopback0
ip address 172.20.20.1 255.255.255.255

interface Loopback1
ip address 172.20.20.2 255.255.255.255


interface Vlan2
description IT Users
ip address 172.20.25.254 255.255.255.0
ip helper-address 192.168.1.100


interface vlan3
description Server
ip address 192.168.1.254 255.255.255.0


interface vlan 4
description network devices
ip address 192.168.2.254 255.255.255.0

interface vlan 5
description vpn_router
ip address 172.20.26.1 255.255.255.248

interface vlan 6
description Connected to Building2
ip address 172.20.26.9 255.255.255.248


interface vlan 7
descripiton connected to IDN
ip address 172.20.26.17 255.255.255.248

interface vlan 8
description connected to Firewall
ip address 172.20.26.25 255.255.255.248


router ospf 5
redistribute connected subnets
redistribute static subnets
network 172.20.25.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 172.20.26.1 0.0.0.0 area 0
network 172.20.26.9 0.0.0.0 area 0
network 172.20.26.17 0.0.0.0 area 0
network 172.20.26.25 0.0.0.0 area 0
network 172.20.20.1 0.0.0.0 area 0
network 172.20.20.2 0.0.0.0 area 0

ip route 0.0.0.0 0.0.0.0 172.20.26.26
ip route 10.10.10.0 255.255.255.0 172.20.26.2
ip route 10.10.20.0 255.255.255.0 172.20.26.2
ip route 10.10.100.0 255.255.255.0 172.20.26.2

thank you all

Paul

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
John Blakley Wed, 05/02/2012 - 05:05

Paul,

Is a standard acl acceptable to you? You could deny access from this subnet to any other private subnet and then allow them to go anywhere else. You'd apply it on the vlan interface:

vlan 500

ip address 192.168.50.1

ip access-group 101 in

access-list 101 deny ip any 10.0.0.0 0.255.255.255

access-list 101 deny ip any 172.16.0.0 0.15.255.255

access-list 101 deny ip any 192.168.0.0 0.0.0.255

access-list 101 permit ip any any

HTH,

John

paultim68 Thu, 05/03/2012 - 00:30

Hi all

rizwanr74 -> my requirement is different then the link

John  thanks mate for supporting the post, my default route is to send all traffic to firewall-box then how to send new vlan traffic to new DSL Router.  i also dont want new vlan to use our existing local dns server in vlan3 but use ISP DNS or DSL router ip as dns resolver.  If I add new vlan then i need to update the access-list 101, so standard or extended acl easy to change.

thank you all

Paul

milan.kulik Thu, 05/03/2012 - 04:45

Hi,

does your IOS support VRFs?

If yes, I'd create a new VRF for the new subnet. You could use a separated routing table for it then.

HTH,

Milan

paul.tim681 Fri, 05/04/2012 - 22:01

VRF not supported. New subnet hits the firewall-box but traffic is not routed to new-DSL-router.

Actions

Login or Register to take actions

This Discussion

Posted May 2, 2012 at 3:06 AM
Stats:
Replies:5 Avg. Rating:
Views:705 Votes:0
Shares:0
Tags: vlan, new, add
+

Related Content

Discussions Leaderboard