VLan configuration

tiagofelizol2 · 2011-01-10T05:28:14.000Z

Hi all,

Wonder if anyone could help me with this. I have to vlan configured: 192.168.2.x and 192.168.1.x, both have dhcp server, sharing the same internet connection. There are 2 server in network 192.168.2.x that I want the guys from 192.168.1.x to access. Problem is that I want to keep them separately. How can I solve this ?

regards,

Tiago Felizol

timd5286 · 2011-01-10T05:42:57.000Z

i’m taking an educated guess here -

you’ll want to configure your router/firewall to allow traffic between those 2 vlans/networks.

i was going to sugest a 255.255.254.0 subnet, but you want to keep them seperate.

static routes maybe an alternative, but i have no experience with them so i dont fully understand how they work.

jon8719 · 2011-01-10T06:06:07.000Z

Could you provide a little more information as to how you want to keep them (I’m assuming the two servers) seperate?

Rivitir · 2011-01-10T06:52:49.000Z

Have a firewall that allows each to get to the internet, but have ACL’s in place where they can not talk to eachother.

lucasbackes · 2011-01-10T08:35:19.000Z

When you say you “want to keep the separately”, you mean you don’t want your machines from 192.168.1.x to able to see the 192.168.2.x machines?

Then I’m going with Vee.Hexx, static routes could solve your issue.

Try configure a static route at one machine at 192.168.2.x to see the server at 192.168.1.x (let’s suppose here 192.168.1.1) trought your router.

Let’s assume your router is 192.168.3.1:

route add 192.168.1.1 192.168.3.1

/ /

(route add SERVER ROUTER)

lucasbackes · 2011-01-10T08:37:57.000Z

And, forgot to say, deppending on which switch you’re using for your vlans, you can configure a route between those vlans just for the ports you want to be visible for the other vlan.

manclncjj · 2011-01-10T08:38:19.000Z

You will need to allow the traffic between the two vlans. You can set it up so only the servers can talk to the other vlan and only on the required ports. It is just a matter of adding another ACL to the router and placing it before the one that denies traffic.

Allow traffic from the server IP on the required port to the vlan2.

you will also have to configure the traffic from vlan2 to the server on vlan1.

tim7139 · 2011-01-10T09:17:20.000Z

The simplest might be to create a new subnet 192.168.3.x and move the servers there, then allow both 192.168.1.x and 192.168.2.x clients

Your other option is adding routs for the 192.168.2.x clients to the specific IP on the other subnet.

tim37816417 · 2011-01-10T11:17:45.000Z

There are several options. I do not thing adding a route to the servers will help without routing between the networks, at some point each network has to know about the other and without some routing between them, they will not communicate.

It the network card supports VLANS than adding a second ip address to the card and allowing multiple VLANS on the port to the server, would helps solve the problem.

Another solution is to use a second NIC on the servers and configure it for the other network.

jeffsharp8377 · 2011-01-10T14:36:48.000Z

If this is a cisco IOS router, research the “Router on a stick” configuration.

If it’s a “home” type router, look about adding static routes to router.

Host based routing can get very messy very quick.

I think the final route table would look something like this:

0.0.0.0 0.0.0.0 X.X.X.X (x = ISP addy, default gateway)

192.168.1.0 255.255.255.0 192.168.1.1

192.168.2.0 255.255.255.0 192.168.2.1

-HTH

timd5286 · 2011-01-11T03:01:13.000Z

Jeff5521 wrote:

192.168.1.0 255.255.255.0 192.168.1.1

192.168.2.0 255.255.255.0 192.168.2.1

just so i understand that;

you add those lines into a cisco router.

192.168.1.0 = network

255.255… = subnet

192.168.1.1 = router?

ie: if devices behind cisco router wants to speak with the 192.168.1.0 range, then it is todo so via the 192.168.1.1 device?

lets say you have a multi-segment network; 192.168.1.0, 2.0, 3.0. they are chained together in a serial method, so 1.0 is not directed connected to 3.0 network.

i’d have to add a static route on both 1.1 router and 2.1 router (and the same for the return journey), for 1.0 network to speak with 3.0 network? sounds alot simplier than I thought!

jeffsharp8377 · 2011-01-11T09:23:07.000Z

You are on the right track. Routers automatically know about all routes they are “connected” to.

you would add the routes to the “default gateway”.

Look at a router like a traffic cop directing traffic. In order to make a left turn you have to get the go ahead from the traffic cop in the intersection.

all devices with the same NETWORK number can communicate by way of braodcasting across the same physical switch. If they want to communicate with another network, we have to give them the roadmap, in other words the IP address of the router that knows about the remote network.

HTH

jeffsharp8377 · 2011-01-11T09:29:18.000Z

Here is a more clear cut diagram of the concept:

http://aconaway.com/2007/08/20/router-on-a-stick/

The way I like to look at vlans is it’s like breaking the switch into several smaller switches. Try to envision several little switches that are not interconnected. To get them connected we have to add a router in the mix.

syntheticdevelopment9523 · 2011-01-11T10:34:15.000Z

I can agree with most the post here you will need to setup Access List on the router.

You will also need to setup trunking on the ports the servers are on so they can see both vlans.

adatec · 2011-01-11T12:42:32.000Z

+1 to router on a stick.

Whether Cisco or not this is the only real way of allowing access to servers and disallowing networks to see/talk. if you just put static routes in each pc they can be changed by the user if they know how, and access any pc in the other network. A router is the only way to go as no one has access to it but you the admin.

katawoskisnipentino · 2011-01-11T14:58:08.000Z

I did not read the router on a stick article so if I repeat something here I apologize. You should be able to use your switch to route for between your subnets and V-Lans I havemodified some lines from my switch to show you what I mean.

Start Vlan-Routing Section dump:

ip default-gateway 192.168.1.1

ip routing
snmp-server community “xxxxxxx” Unrestricted
vlan 1
name “XXXX”
untagged 1,3-8
ip address 192.168.1.xx 255.255.255.0
no untagged 2
exit
vlan 100 name “XXXX”
untagged 2
ip address 192.168.2.1 255.255.255.0
tagged 1,3-8
exit
ip route 0.0.0.0 0.0.0.0 192.168.1.1

Let me break this down for you if I can do it justice.

This is an 8 port switch we are tagging ports 1,3,4,5,6,7,8 as vlan 100 we have left them untagged in vlan 1. Now port 2 is only in Vlan 100. The switch is 192 .168.1.xxx with a default gateway of 192.168.1.1. Ok that shopuld have been done before we tagged everything. Now we need to assign an ip address to port 2 to allow to route between subnet .1 and subnet .2. This is dunone under your VLan configuration whether you have a GUI to do this in our if you have to use the CLI. So in our example we assign 192.168.2.1 so in your .2 subnet you configure this as you gateway for all machinces in that subnet. Now you must enable ip routing on your switch to get everything to communicate through the switch. Now you need to define a route I chose to do so in my firewall stating 192.168.2.x /24 Gateway 192.168.1.xxx (the switches ip address). This makes everything flow nicely between subnets while keep your traffic seperate.

I do not feel that I did a good job explaining this so if you have any questions pm me directly I will be glad to go into more detail.