Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1210
Views
0
Helpful
4
Replies

SF300 Inter-Vlan Communication

John Brainard
Level 1
Level 1

‎11-13-2013 09:33 AM

I have read over quite a few of thes, and either can't seem to find my answer....OR can't recongize that was my answer!

I have 2 vlans, vlan1 (secure) vlan2 (guest wifi).  Vlan1 is getting ip from DHCP server 10.10.11.x.  Vlan2 is getting IP from DHCP server  10.10.12.x.  The gateway for the internet lies in vlan1's scheme of 10.10.11.254.  I need to get internet to the vlan2 guest wifi people, but not give them access to all the internal secure stuff in vlan1. 

I can't just connect another switch ot teh cisco 891 router becasue all internet traffic needs to run through the IPRISM filter we are using.

I'm new to vlans, and just need to know how to get vlan2 on the internet.

thanks ahead of time, John              

Labels:
0 Helpful
4 Replies 4

Tom Watts
VIP Alumni
VIP Alumni

‎11-13-2013 10:04 AM

Hi John, I suspect you read over the answer but didn't quite recognize it

One of two things has to happen.

1- Your switch remains in layer 2 mode (by default) and you create a trunk between the switch and the router for vlan 1 untagged, vlan 2 tagged

or

2- You change the switch in to layer 3 mode, create the IP interfaces and then create a static route on your router pointing back to the SVI of the switch to make the router aware of the second subnet.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

John Brainard
Level 1
Level 1
In response to Tom Watts

‎11-14-2013 06:04 AM

ok...thank you so much for replying. 

I currently have the swtich in L3.  Here is a basice setup of what i have plugged in where. 

WAP = FE24, 10.10.11.4, vlan1, tagged vlan2. 

DHCP = GE2, 10.10.11.1 vlan1, tagged vlan2

Webfilter = FE2, 10.01.11.18, no vlan (native 1 i guess)

Router is at 10.10.11.254, HOWERVER is only accessable through the webfilter.  (cable connects switch to filter, then filter out to router)  Its a Cisco 891.

So i know i need to do option 2, just don't really understand how.

thanks again

John

      

**

under IPv4 static routes,  i have 1 entry

destination 0.0.0.0, prefix 0, type remote, next hop 10.10.11.254, owner static, metric 1

0 Helpful

John Brainard
Level 1
Level 1
In response to John Brainard

‎11-14-2013 07:29 AM

Ok, so i put in a default route in the router for 10.10.12.0 255.255.255.0 10.10.11.11

and now it seems to be working!!  YEAH...BUT i have one issue real quick

i dont' want it to be able to ping the server on the 10.10.11.x network.  I set the DHCP dns to be 8.8.8.8 for that network.  But, when i tried pinging dc1 (10.10.11.1) it responded on an IPV6 response address.  So, somehow the 10.10.12.x vlan is DNS aware of the 10.10.11.x vlan, and can talk to it.  

Can i keep that from happening?

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to John Brainard

‎11-14-2013 10:50 AM

Hi John, the switch in layer 3 mode automatically builds the routes for different vlans and subnets to communicate. If your goal is to separate the network for 2 distinct vlans but maintain the internet access then an access list of the switch must be created.

The access list is ingress only (inbound to the port). Meaning if you have Client in subnet B connecting to port 1 and a server in subnet A connecting to port 2, to prevent that client from hitting that server you'd need an access list applied to port 1.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful
Customers Also Viewed These Support Documents