cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1258
Views
0
Helpful
5
Replies

Add new VLAN

paul.tim681
Level 1
Level 1

Hi all

I need help to create one new vlan that should not be reachable with any other vlan. All traffic from this vlan should be routed to dsl-internet router

vlan subnet - 192.168.200.0 255.255.255.0
DSL Router IP : 192.168.200.253 255.255.255.0

users on this subnet wil only access internet

current configuration

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname HQSACOREGW

! service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname BB0
!

interface Loopback0
ip address 172.20.20.1 255.255.255.255

interface Loopback1
ip address 172.20.20.2 255.255.255.255


interface Vlan2
description IT Users
ip address 172.20.25.254 255.255.255.0
ip helper-address 192.168.1.100


interface vlan3
description Server
ip address 192.168.1.254 255.255.255.0


interface vlan 4
description network devices
ip address 192.168.2.254 255.255.255.0

interface vlan 5
description vpn_router
ip address 172.20.26.1 255.255.255.248

interface vlan 6
description Connected to Building2
ip address 172.20.26.9 255.255.255.248


interface vlan 7
descripiton connected to IDN
ip address 172.20.26.17 255.255.255.248

interface vlan 8
description connected to Firewall
ip address 172.20.26.25 255.255.255.248


router ospf 5
redistribute connected subnets
redistribute static subnets
network 172.20.25.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 172.20.26.1 0.0.0.0 area 0
network 172.20.26.9 0.0.0.0 area 0
network 172.20.26.17 0.0.0.0 area 0
network 172.20.26.25 0.0.0.0 area 0
network 172.20.20.1 0.0.0.0 area 0
network 172.20.20.2 0.0.0.0 area 0

ip route 0.0.0.0 0.0.0.0 172.20.26.26
ip route 10.10.10.0 255.255.255.0 172.20.26.2
ip route 10.10.20.0 255.255.255.0 172.20.26.2
ip route 10.10.100.0 255.255.255.0 172.20.26.2

thank you all

Paul

5 Replies 5

John Blakley
VIP Alumni
VIP Alumni

Paul,

Is a standard acl acceptable to you? You could deny access from this subnet to any other private subnet and then allow them to go anywhere else. You'd apply it on the vlan interface:

vlan 500

ip address 192.168.50.1

ip access-group 101 in

access-list 101 deny ip any 10.0.0.0 0.255.255.255

access-list 101 deny ip any 172.16.0.0 0.15.255.255

access-list 101 deny ip any 192.168.0.0 0.0.0.255

access-list 101 permit ip any any

HTH,

John

HTH, John *** Please rate all useful posts ***

rizwanr74
Level 7
Level 7

Hi Paul,

Please read this thread, there is a working solution already found on this below thread.

https://supportforums.cisco.com/thread/2131688

Please rate helpful post

thanks

Hi all

rizwanr74 -> my requirement is different then the link

John  thanks mate for supporting the post, my default route is to send all traffic to firewall-box then how to send new vlan traffic to new DSL Router.  i also dont want new vlan to use our existing local dns server in vlan3 but use ISP DNS or DSL router ip as dns resolver.  If I add new vlan then i need to update the access-list 101, so standard or extended acl easy to change.

thank you all

Paul

Hi,

does your IOS support VRFs?

If yes, I'd create a new VRF for the new subnet. You could use a separated routing table for it then.

HTH,

Milan

VRF not supported. New subnet hits the firewall-box but traffic is not routed to new-DSL-router.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco