Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

new VLAN

Status
Not open for further replies.
raoul2341

raoul2341

MIS
Nov 10, 2009
2
GB
Hi

I recently got involved in the configuration of cisco switches and I have to configure a new switch for a different vlan. All existing devices are on Vlan1. Here is my question please:

I have a set of new PCs/Servers that need to be on a seperate VLAN e.g vlan 20. These devices should not be accessed by any other device outside of this Vlan but they can access one server on Vlan 1. This is what I have done:

1. Created new vlan 20 and interface vlan 20 on a layer3 switch. The routing on the layer 3 switch is set to route everything through the layer 3 switch (route 0.0.0.0 0.0.0.0 192.168.20.1).

2. On the new switch, I assigned an ip address in the .20.XX range and moved all the ports to vlan 20.

3. Assigned the new Pcs/servers static ip addresses in the same range.

It is all working but devices on Vlan1 can see the new devices on vlan20.

Your help is greatly appreciated.

Thanks
 
Sort by date Sort by votes
You need the devices on vlan1 to have their default gateway set to the layer 3 switch if they aren't already. You would then control the filtering via an access list to ensure that only that one server has access to vlan20 hosts.
 
Upvote 0 Downvote
Just create a inbound acl on the vlan 20 SVI permitting everything in the vlan 20 subnet to go to the one ip in vlan 1 , should be 1 statement . Everything else will be denied by the implicit deny at the end of a ACL.
 
Upvote 0 Downvote
Man thanks for your replies. I have never done this before but I am sure I will find lots of info by googling.

Cheers
 
Upvote 0 Downvote
Just go to cisco.com and do a search , almost all documentation is free of charge.
 
Upvote 0 Downvote
ip access-list extended bla
10 permit ip host (vlan1_server_ip_ any
20 deny ip x.x.x.x y.y.y.y
30 permit ip any any
int vlan 20
ip access-group bla in

x.x.x.x=ip subnet of vlan 1, y.y.y.y=wildcard (inverse) mask, i.e. 10.1.1.0 255.255.255.0=

20 deny ip 10.1.1.0 0.0.0.255 any

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
Cisco Nexus 9k new admin user
Replies
0
Views
505
XLNTech1
XLNTech1
cheikhdtn
  • Locked
  • Question
VLAN
Replies
3
Views
152
iggsterman
iggsterman
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
203
bfordz
bfordz
mikey789
  • Locked
  • Question
Can 4000-M Routing VLANs ?
Replies
0
Views
144
mikey789
mikey789
netguy2000
  • Locked
  • Question
C2960TTL multiple Trunk ports with same VLAN
Replies
1
Views
165
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top