Adding Subnets

[nogs2]

Hi All

Can anyone advice me, currently Im using a class C network 192.168.2.0 255.255.255.0, the gateway is 192.168.2.248. Running out of addresses want to add a new subnet of 192.168.20.0/24.
From the new network I want to see a server 192.168.2.10 on the "old" network on port 23 only - all other traffic needs to be blocked.

Would you suggest adding a new router for the new network and then bridge this to the old network?
What would be the best router for the job?
Can I add a secondary IP address onto the current Gateways eth port Cisco 2600?
Will there be any issues having both networks address ranges running on the same LAN?

Thanks for any help in advance
Nogs2

 

[Lundah]

If you're running 2 subnets, you need to have seperate VLAN's, and a router to route between the VLAN's. Incidentally, this will help you limit access to the server, you can set up an access list to block all but port 23 to the server (you will need to leave port 21 open as well, since FTP uses that too).

 

[nogs2]

Hi Lundah
Thanks V Much!!
What is the theory behind VLANS??
Is this something that allows 2 subnets over 1 LAN?
Will I have to setup each switch with 2 Vlans (192.168.2.0 + 192.168.20.0)?
Does anyone have any FAQs I can take a look at?

 

[pansophic]

You can run 2 subnets over a single LAN with no additional equipment whatsoever. VLANs provide a limited amount of protection between the two subnets, especially where the switches are involved.

Lundah is correct that you will need a router between the two subnets in order to filter ports, but incorrect in that port 23 is telnet. FTP is ports 20 and 21.

The only "issues" with running both subnets on the same LAN is that any computer that is on the same physical network with a computer in another subnet can eavesdrop on the other network and collect its data. If you are connecting all computers directly to a managed switch, and using VLANs on that switch, then the amount of traffic that can be gleaned from one subnet to the other is minimal at best.

Cisco has extensive documentation on VLAN configuration. A Google search like:

vlan configure site:cisco.com

should yield some high value results.


pansophic

 

[KiscoKid]

To answer your questions:

Would you suggest adding a new router for the new network and then bridge this to the old network?

Not necessary I think. A 2600 can handle this just fine.


What would be the best router for the job?

See above.


Can I add a secondary IP address onto the current Gateways eth port Cisco 2600?

Yes if you want to. I'd recommend against doing this though.


Will there be any issues having both networks address ranges running on the same LAN?

Depends. If you segment your network using VLAN's, this is the most efficient way to protecting networking resources. Multiples addresses on the same LAN interface on the 2600 will greatly increase broadcast traffic and reduce available network bandwidth.


My recommendation would be to:

1. Create 2 new VLANs for both IP subnets on your VTP master switch.
2. Create a VLAN trunk on the switch port connected to the 2600.
3. Assign both VLANs to this trunk.
4. Create 2 LAN sub-interfaces on the 2600 and allocate appropriate IP addressing.
5. Setup ACL's on both sub-interfaces to control the access you've highlighted between VLANs.

This setup is well-documented on Cisco.com. A good link about this process is as follows:

http://www.cisco.com/en/US/tech/tk389/tk390/technologies_configuration_example09186a00800949fd.shtml