Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two private networks that share access to a Third

Vlan A, B, C
A can never see B
I want to be able to go from A->C and B->C at any time, but I want it to be impossible to go A->C->B and visa versa as it should be impossible to ever find a route that connects A to B.
How can this be accomplished?
Goal:
Have a Primary corporate network, a visitor network, and a printer network.  Both the primary corporate network and the visitors can access the printer network, but the visitor network can never access the primary corporate network or visa versa.
The most general example of how this concept is already in place:
Company A has a private network.  Company B has a private network.   When company A attempts to visit www.google.com they are routed out of their private network over the internet.  When company B attempts to visit www.google.com they are routed out of their private network over the internet. Company A & B can both access www.google.com via the internet, but Company B cannot access Company A's private network and visa versa.

Everyone's tags (3)
2 REPLIES

Re: Two private networks that share access to a Third

Hi Kris,

It is very important to know what devices you are using and what is a setup.

If all of your vlans are terminated on one router then you can use vrf-lite to avoid access between two network and

allowing access of both network to the third network

Regards

Mahesh

New Member

Re: Two private networks that share access to a Third

I may have mis-read your post but from what I understadn you want the Visitor network to be able to reach thr printer network.  You want the corporate to be able to reach the printer network.  You wish to prevent the visitor network and the corporate network from communicating with each other.  If this is correct, you would set the switch up similarly to:

Network ranges:

Visitor network - 192.168.1.0 /24
Printer network - 192.168.2.0 /24
Corporate network - 192.168.3.0 /24

Switch config:

vlan 1

     name VISITOR

vlan 2

     name PRINTER

vlan 3

     name CORPORATE


interface vlan 1
ip address 192.168.1.254 255.255.255.0
access-group DENY_VISITOR_TO_CORPORATE in
no shut

interface vlan 2
ip address 192.168.2.254 255.255.255.0
no shut

interface vlan 3
ip address 192.168.3.254 255.255.255.0
access-group DENY_VISITOR_TO_CORPORATE in
no shut


access-list DENY_VISITOR_TO_CORPORATE deny ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
aaccess-list  DENY_VISITOR_TO_CORPORATE permit ip any any


access-list DENY_CORPORATE_TO_VISITOR deny ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DENY_CORPORATE_TO_VISITOR permit ip any any

Place the ports that connect to the visitor devices into VLAN 1

Place the ports that connect to the printer devices into VLAN 2

Place the ports that connect to the vcorporate devices into VLAN 3

Regards

Jimmy

306
Views
0
Helpful
2
Replies
CreatePlease login to create content