Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2017
Views
0
Helpful
10
Replies

help plan of network

Go to solution
malai.joseph
Level 1
Level 1

‎05-04-2011 09:23 PM - edited ‎03-04-2019 12:16 PM

I am never used to cisco device kindly help with given diagram to achieve as i plan
but i can manage to implement this with your assistance pls
The output of cisco router,cisco switches should accomodate below all

1.Vlan2,Vlan3,Vlan4,Vlan5,Vlan6,Vlan7 should be able to communicate with vlan 8(server vlan)
2.vlan 8(server vlan) should be able to communicate with Vlan2,Vlan3,Vlan4,Vlan5,Vlan6,Vlan7
3.Vlan2,Vlan3,Vlan4,Vlan5,Vlan6,Vlan7 should NOT be able to communicate each other
4.vlan9 should be used for Management of cisco devices
5.vlan 8 should be able to access internet direct(without passing to proxy server)
6.Vlan2,Vlan3,Vlan4,Vlan5,Vlan6,Vlan7 should be able to access
  internet BUT they should all pass throught PROXY server-squid ip address 192.168.4.6
  and client browser must be added with
  ip address 192.168.4.6 and port 3128 so as client can browse an internet
  (note configuration of proxy server and acl of proxy i can handle on my own)
7.Vlan2,Vlan3,Vlan4,Vlan5,Vlan6,Vlan7 should be able to send and receive internal mail server
  ip address 192.168.4.7/26 even there is NO internet (internet outage,note mail server-postfix can handle myself)
8.Vlan2,Vlan3,Vlan4,Vlan5,Vlan6,Vlan7 should be able to access internal web server
  ip address 192.168.4.3/26 even there is NO internet (internet outage,note web server-LAMP can handle myself)
9.Internal mail server ip address 192.168.4.7/26 should be have 512kbps up/down (note internet from ISP 2Mbps)
10.logs of router,that who tried /access it should be send to syslog server 192.168.4.10
(note syslog server can handle myself)
11.Highly security issue is the most important,need access with ssh and not telnet
(servers will have sql server2008,LAMP,LDAP,window patches those service found from that server should be allowed)
11.Any idea not included here you can add/remove/edit so as to have perfect network

Vlan 2
Range of ip address.
192.168.2.0 to 192.168.2.63 subnet mask 255.255.255.192
Gateway will be 192.168.2.1
Vlan 3
Range of ip address
192.168.2.64 to 192.168.2.127 subnet 255.255.255.192
Gateway 192.168.2.65
Vlan 4
Range of ip address
192.168.2.128 to 192.168.2.191 subnet mask 255.255.255.192
Gateway 192.168.2.129
Vlan5
Range of ip addess
192.168.2.192 to 192.168.2.255 subnet mask  255.255.255.192
Gateway 192.168.2.193
Vlan 6
Range of ip address
192.168.3.0 to 192.168.63 subnet mask  255.255.255.192
Gateway 192.168.3.1
Vlan 7
192.168.3.64 to 192.168.3.127 subnet mask  255.255.255.192
Gateway 192.168.3.65 
Vlan 8
Range of ip address
192.168.4.1 to 192.168.4.255 subnet mask 255.255.255.192
Gateway 192.168.3.129
Vlan 9
Range of ip address
10.10.10.0 to 10.10.10.6 subnet mask 255.255.255.248
Gateway 192.168.3.129

Attached conf of router and 3 cisco switch

Sorry for long posting
Thanks very much
J

Labels:
85849-cisco-guru-pls-help.txt.zip
111 KB
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-06-2011 02:20 AM

Hi Joseph,

I created the below config for your scenario which suites you.


interface vlan 2
ip address 192.168.1.1 255.255.255.0
ip access group vlan2


interface vlan 3
ip address 192.168.2.1 255.255.255.0
ip access group vlan3


interface vlan 4
ip address 192.168.3.1 255.255.255.0
ip access group vlan4


interface vlan 5
ip address 192.168.4.1 255.255.255.0
ip access group vlan5


interface vlan 6
ip address 192.168.5.1 255.255.255.0
ip access group vlan6


interface vlan 7
ip address 192.168.6.1 255.255.255.0
ip access group vlan7


interface vlan 8
description Servers
ip address 192.168.7.1 255.255.255.0


interface vlan 9
description Management
ip address 192.168.8.1 255.255.255.0


ip access-list extended vlan2
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25

permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan3
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any

ip access-list extended vlan4
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan5
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan6
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan7
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan8
permit ip any any


ip access-list extended vlan9
permit ip any any


Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

View solution in original post

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-06-2011 04:16 AM

Hi Joseph,

Yes, vlan 2 can access 192.168.7.0 which is server network.
And regarding mail server set bandwidth there was a old post which was opened by you and answered by me.
And Yes, as per config vlan2,3,4,5,6,7 can not communicate each other


Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

View solution in original post

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-06-2011 05:46 AM

Hi Joseph,

1.Pls clarify where is conf of router and switches from ur post??
This something you need to do initially and from after that if anything need to fine tune that i can help you.

3.how does http/internet accessing traffic send to proxy 192.168.4.6  from router?so as client can browse
Regarding this you need to create route-map and set default gateway as per required which I can help you.
Let me clarify is this 192.168.4.6 Proxy is a Server or a Firewall or a Router?


5.i dont see the conf show mail server set with 512kps up/down? last answer need to have vlan for mail server.
Do you have seperate vlan for mail server range. If yes we can do that but remember the defined policy will effect to the all vlan.

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

View solution in original post

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-06-2011 06:20 AM

Hi Joseph,

Now it is possible....

ok vlan for mail server will be 192.168.9.1/24
kindly give details so as to have 512kbps up/down and can be accessed even there is no internet internally

See the below config....


Policy a specific VLAN number on VLAN interface.

int vlan 10
desc Mail server
ip address 192.168.9.1 255.255.255.0

class-map vlan10
match vlan 10
match class-map class-default

policy-map vlan10-limit
class vlan10
police 100000 150000 exceed-action drop


int vlan10
service-policy input vlan10-limit

After you apply this configuration, the traffic with VLAN 10 coming from any will be policed at 512Kbps.

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

View solution in original post

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-09-2011 12:20 AM

Hi Joseph,

Created the below config for you in order to get the internet access from vlan 2 3 4 5 6 7 through your Proxy.
Please try to configure the below in your router and check the access.


interface vlan 2
ip address 192.168.1.1 255.255.255.0
ip access group vlan2
ip policy route-map INT_ACCESS


interface vlan 3
ip address 192.168.2.1 255.255.255.0
ip access group vlan3
ip policy route-map INT_ACCESS


interface vlan 4
ip address 192.168.3.1 255.255.255.0
ip access group vlan4
ip policy route-map INT_ACCESS


interface vlan 5
ip address 192.168.4.1 255.255.255.0
ip access group vlan5
ip policy route-map INT_ACCESS


interface vlan 6
ip address 192.168.5.1 255.255.255.0
ip access group vlan6
ip policy route-map INT_ACCESS


interface vlan 7
ip address 192.168.6.1 255.255.255.0
ip access group vlan7
ip policy route-map INT_ACCESS

route-map INT_ACCESS permit 10
match ip address 175
set ip default next-hop 192.168.4.6


ip access-list extended 175
permit ip 192.168.1.0 any
permit ip 192.168.2.0 any
permit ip 192.168.3.0 any
permit ip 192.168.4.0 any
permit ip 192.168.5.0 any
permit ip 192.168.6.0 any
deny any any

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
malai.joseph
Level 1
Level 1

‎05-06-2011 01:50 AM

Hi,

same subnet mask for all vlan’s  which is not possible/hard to define rules accordingly.


decide to change vlan as below

Vlan 2
Range of ip address.
192.168.1.0/24
Vlan 3
Range of ip address
192.168.2.0/24
Vlan 4
Range of ip address
192.168.3.0/24
Vlan5
Range of ip addess
192.168.4.0/24
Vlan 6
Range of ip address
192.168.5.0/24
Vlan 7
192.168.6.0/24  
Vlan 8
Range of ip address
192.168.7.0/24
Vlan 9
Range of ip address
10.10.10.0 to 10.10.10.6 subnet mask 255.255.255.248
Gateway 192.168.3.129

But what i want to achieve are the same as previos post,i know ip address of mail server/syslog server/proxy server will change

thanks hope to hear from you friend

Joseph

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-06-2011 02:20 AM

Hi Joseph,

I created the below config for your scenario which suites you.


interface vlan 2
ip address 192.168.1.1 255.255.255.0
ip access group vlan2


interface vlan 3
ip address 192.168.2.1 255.255.255.0
ip access group vlan3


interface vlan 4
ip address 192.168.3.1 255.255.255.0
ip access group vlan4


interface vlan 5
ip address 192.168.4.1 255.255.255.0
ip access group vlan5


interface vlan 6
ip address 192.168.5.1 255.255.255.0
ip access group vlan6


interface vlan 7
ip address 192.168.6.1 255.255.255.0
ip access group vlan7


interface vlan 8
description Servers
ip address 192.168.7.1 255.255.255.0


interface vlan 9
description Management
ip address 192.168.8.1 255.255.255.0


ip access-list extended vlan2
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25

permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan3
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any

ip access-list extended vlan4
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan5
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan6
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan7
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25
permit ip any host 192.168.4.3
deny ip any any


ip access-list extended vlan8
permit ip any any


ip access-list extended vlan9
permit ip any any


Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to Latchum Naidu

‎05-06-2011 03:01 AM

Thanks very much Naidu,

1.Pls clarify where is conf of router and switches from ur post?

2.Can i get to know each line what it does?i gues vlan 2 can access 192.168.7.0 that is server farm

ip access-list extended vlan2
permit ip any 192.168.7.0 0.0.0.255
permit tcp any host 192.168.4.7 eq 25

permit ip any host 192.168.4.3
deny ip any any

3.how does http/internet accessing traffic send to proxy 192.168.4.6  from router?so as client can browse

4.where does services incorpareted with sql,apache shown regarding my servers farm?

5.i dont see the conf show mail server set with 512kps up/down?

6.is that conf mean vlan2,3,4,5,6,7 can not communicate each other?but can do with vlan8?

thanks once again

Joseph

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-06-2011 04:16 AM

Hi Joseph,

Yes, vlan 2 can access 192.168.7.0 which is server network.
And regarding mail server set bandwidth there was a old post which was opened by you and answered by me.
And Yes, as per config vlan2,3,4,5,6,7 can not communicate each other


Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to Latchum Naidu

‎05-06-2011 04:43 AM

thanks Naidu

You answered one correctly among many

Below question have meaning to me pls

1.Pls clarify where is conf of router and switches from ur post??

3.how does http/internet accessing traffic send to proxy 192.168.4.6  from router?so as client can browse

4.where does services incorpareted with sql,apache shown regarding my servers farm?

5.i dont see the conf show mail server set with 512kps up/down? last answer need to have vlan for mail server ,

but u set to 2mbps and i need 512kbps,and if that is a case u mean all vlan 8 which is a server farm will have 512kbps or i need to have separate vlan for mail server?pls guide me

Joseph

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-06-2011 05:46 AM

Hi Joseph,

1.Pls clarify where is conf of router and switches from ur post??
This something you need to do initially and from after that if anything need to fine tune that i can help you.

3.how does http/internet accessing traffic send to proxy 192.168.4.6  from router?so as client can browse
Regarding this you need to create route-map and set default gateway as per required which I can help you.
Let me clarify is this 192.168.4.6 Proxy is a Server or a Firewall or a Router?


5.i dont see the conf show mail server set with 512kps up/down? last answer need to have vlan for mail server.
Do you have seperate vlan for mail server range. If yes we can do that but remember the defined policy will effect to the all vlan.

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to Latchum Naidu

‎05-06-2011 05:56 AM

Thanks Naidu

192.168.4.6 Proxy is a Server and i want all user to browse,and its linux with squid and NOT firewall or router,my router from my post is named 1921

i saw several comments regarding  set next hope 192.168.4.6 so as traffic will be send to proxy so as user neeed to browse

ok vlan for mail server will be 192.168.9.1/24

kindly give details so as to have 512kbps up/down and can be accessed even there is no internet internally

thanks

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-06-2011 06:20 AM

Hi Joseph,

Now it is possible....

ok vlan for mail server will be 192.168.9.1/24
kindly give details so as to have 512kbps up/down and can be accessed even there is no internet internally

See the below config....


Policy a specific VLAN number on VLAN interface.

int vlan 10
desc Mail server
ip address 192.168.9.1 255.255.255.0

class-map vlan10
match vlan 10
match class-map class-default

policy-map vlan10-limit
class vlan10
police 100000 150000 exceed-action drop


int vlan10
service-policy input vlan10-limit

After you apply this configuration, the traffic with VLAN 10 coming from any will be policed at 512Kbps.

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to Latchum Naidu

‎05-06-2011 07:50 AM

Thanks with settings mail server to have 512kbps,good job

Now i want all http/internet browsing traffic from router to be directed to proxy server(NOT firewal or router as asked previous) so as client need to browse pass to proxy,but mail server and vlan server should be able to access direct without passing to proxy.

sorry for distarbance

just saw below on internet and i dont know what exactly is that?but think something like this to direct to proxy how to intergrate with my vlan plan pls

create Route-map to tell the router where to send the traffic:
route-map PROXY permit 120
match ip address 110
set ip next-hop 192.168.0.200

Enable the Policy route on the Ethernet interface:
interface Ethernet 0
ip policy route-map PROXY
ip route-cache policy
ip route-cache same-interface

nice time

J

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to malai.joseph

‎05-09-2011 12:20 AM

Hi Joseph,

Created the below config for you in order to get the internet access from vlan 2 3 4 5 6 7 through your Proxy.
Please try to configure the below in your router and check the access.


interface vlan 2
ip address 192.168.1.1 255.255.255.0
ip access group vlan2
ip policy route-map INT_ACCESS


interface vlan 3
ip address 192.168.2.1 255.255.255.0
ip access group vlan3
ip policy route-map INT_ACCESS


interface vlan 4
ip address 192.168.3.1 255.255.255.0
ip access group vlan4
ip policy route-map INT_ACCESS


interface vlan 5
ip address 192.168.4.1 255.255.255.0
ip access group vlan5
ip policy route-map INT_ACCESS


interface vlan 6
ip address 192.168.5.1 255.255.255.0
ip access group vlan6
ip policy route-map INT_ACCESS


interface vlan 7
ip address 192.168.6.1 255.255.255.0
ip access group vlan7
ip policy route-map INT_ACCESS

route-map INT_ACCESS permit 10
match ip address 175
set ip default next-hop 192.168.4.6


ip access-list extended 175
permit ip 192.168.1.0 any
permit ip 192.168.2.0 any
permit ip 192.168.3.0 any
permit ip 192.168.4.0 any
permit ip 192.168.5.0 any
permit ip 192.168.6.0 any
deny any any

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

0 Helpful
Customers Also Viewed These Support Documents