Cisco Local LAN issue

kumarpmt83 · ‎02-23-2012

hi,

In my office they given me one task in the network..

My setup:

We have a PTP to connection b/w our office.

One is headoffice and other is client office.

i have problem in the client office and that office totally 300 users.

We have a allocate Lan network as 10.20.235.0/23.There is two departments.

we allocate one dept for 10.20.234.0/24 and other dept for 10.20.235.0/24.

we want to both IP should not be communicate in the local lan network..But both we want communicate the headoffice servers.

I have one cisco 1841 router and 7 HP L2 managable switches.

What IP to be given the LAN interface and which gateways to be given to the Two depts.

In the headoffice already i am given static route.and the PTP link is working.

Kindly tell me what am i do???

fb_webuser · ‎02-23-2012

Hi

Seems like you need to separate two departments using one router.

So, if VLAN 100 = 10.20.234.0/24 and VLAN 200 = 10.20.245.0/24

This configuration is from memory, so it is probably not without flaws;

On the 1841 router:

interface F0/0

description WAN interface

ip address 33.33.33.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 33.33.33.1 name DEFAULT

!

interface F0/1

description LAN interface

!

interface F0/1.100

encapsulation dot1Q 100

ip address 10.20.234.1 255.255.255.0

no ip proxy-arp

ip access-group ACL_100 in

!

interface F0/1.200

encapsulation dot1Q 200

ip address 10.20.235.1 255.255.255.0

no ip proxy-arp

ip access-group ACL_200 in

ip access-list extended ACL_100

deny ip 10.20.234.0 0.0.0.255 10.20.235.0 0.0.0.255 log

permit ip any any

!

ip access-list extended ACL_200

deny ip 10.20.235.0 0.0.0.255 10.20.234.0 0.0.0.255 log

permit ip any any

On the HP switch connected to the 1841 router you need to tag VLAN 100 and VLAN 200, and make the uplink port a tagged port.

Remember to create the VLANs on all switches, and to tag the VLANs on all inter-switch links.

This would be a basic configuration for what you are asking

It is also possible to do this in many other ways, for example VLANs connected to VRFs and even transported with MPLS, but I think this is probably what you were looking for.

Good luck

Atle

---

Posted by WebUser Atle Ørn Hardarson

kumarpmt83 · ‎02-23-2012

Thanks for your valuable information.

I have one question .

If some users are want to communicate b/w the VLAN means what am i do .

If it is possible???

frsisqo14344 · ‎02-23-2012

not familiary with the 1841 router but having a firewall maybe a good idea as you only need some users to be able to communicate with the other department.

fb_webuser · ‎02-24-2012

Hi

Yes, if you want some devices to communicate, but not others, you can modify your ACLs as such:

ip access-list extended ACL_100

remark Permit FTP for server A to VLAN 200

permit tcp host 10.20.234.20 10.20.245.0 0.0.0.255 eq 21

remark Permit Print for Server A to Server on VLAN 200

permit tcp host 10.20.245.20 host 10.20.245.20 eq 9100

remark Deny everything else between subnets

deny ip any any

This is all for IPv4. Remember, if you deploy IPv6, the same goes for IPv6.

PS: if you require more complex rules, it is possible to configure a zone-based firewall on IOS, or if the access is user-based and not always IP-based, you can install a ASA 5K firewall and use LDAP "snooping" if there is a directory service present, like Active Directory.

HTH

Atle

---

Posted by WebUser Atle Ørn Hardarson