Add new VLAN

paul.tim681 · ‎05-02-2012

Hi all

I need help to create one new vlan that should not be reachable with any other vlan. All traffic from this vlan should be routed to dsl-internet router

vlan subnet - 192.168.200.0 255.255.255.0
DSL Router IP : 192.168.200.253 255.255.255.0

users on this subnet wil only access internet

current configuration

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname HQSACOREGW

! service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname BB0
!

interface Loopback0
ip address 172.20.20.1 255.255.255.255

interface Loopback1
ip address 172.20.20.2 255.255.255.255

interface Vlan2
description IT Users
ip address 172.20.25.254 255.255.255.0
ip helper-address 192.168.1.100

interface vlan3
description Server
ip address 192.168.1.254 255.255.255.0

interface vlan 4
description network devices
ip address 192.168.2.254 255.255.255.0

interface vlan 5
description vpn_router
ip address 172.20.26.1 255.255.255.248

interface vlan 6
description Connected to Building2
ip address 172.20.26.9 255.255.255.248

interface vlan 7
descripiton connected to IDN
ip address 172.20.26.17 255.255.255.248

interface vlan 8
description connected to Firewall
ip address 172.20.26.25 255.255.255.248

router ospf 5
redistribute connected subnets
redistribute static subnets
network 172.20.25.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 172.20.26.1 0.0.0.0 area 0
network 172.20.26.9 0.0.0.0 area 0
network 172.20.26.17 0.0.0.0 area 0
network 172.20.26.25 0.0.0.0 area 0
network 172.20.20.1 0.0.0.0 area 0
network 172.20.20.2 0.0.0.0 area 0

ip route 0.0.0.0 0.0.0.0 172.20.26.26
ip route 10.10.10.0 255.255.255.0 172.20.26.2
ip route 10.10.20.0 255.255.255.0 172.20.26.2
ip route 10.10.100.0 255.255.255.0 172.20.26.2

thank you all

Paul

John Blakley · ‎05-02-2012

Paul,

Is a standard acl acceptable to you? You could deny access from this subnet to any other private subnet and then allow them to go anywhere else. You'd apply it on the vlan interface:

vlan 500

ip address 192.168.50.1

ip access-group 101 in

access-list 101 deny ip any 10.0.0.0 0.255.255.255

access-list 101 deny ip any 172.16.0.0 0.15.255.255

access-list 101 deny ip any 192.168.0.0 0.0.0.255

access-list 101 permit ip any any

HTH,

John

HTH, John *** Please rate all useful posts ***

rizwanr74 · ‎05-02-2012

Hi Paul,

Please read this thread, there is a working solution already found on this below thread.

https://supportforums.cisco.com/thread/2131688

Please rate helpful post

thanks

paultim68 · ‎05-03-2012

Hi all

rizwanr74 -> my requirement is different then the link

John thanks mate for supporting the post, my default route is to send all traffic to firewall-box then how to send new vlan traffic to new DSL Router. i also dont want new vlan to use our existing local dns server in vlan3 but use ISP DNS or DSL router ip as dns resolver. If I add new vlan then i need to update the access-list 101, so standard or extended acl easy to change.

thank you all

Paul

milan.kulik · ‎05-03-2012

Hi,

does your IOS support VRFs?

If yes, I'd create a new VRF for the new subnet. You could use a separated routing table for it then.

HTH,

Milan

paul.tim681 · ‎05-04-2012

VRF not supported. New subnet hits the firewall-box but traffic is not routed to new-DSL-router.