Solved: Creating VLAN, Restricting Internet Access and Providing Domain Controller access to all computers

Parth Maniar · ‎02-28-2013

Hi, I'm a first time Cisco Networking device user. My current scenario is where I need to create VLAN's to segrigate computers which are connected to a DC (Domain Controller). DC also acts as the DNS server. I need to configure 3 VLAN's and administrer internet access to one of them. Can someone guide me for this? I appreciate any help.

I'm having Cisco SG300-28P 28-Port Gigabit PoE Managed Switch with Release 1.2.7.76 firmware and Windows Server 2008 R2 Enterprise Edition.

I also have a Printer and Scanner with static IP's which need to be accessed by all computers.

Thank you in advance, again.

Parth

jonatrod · ‎02-28-2013

Good morning

Hi Parth, thanks for using our forum, my name is Johnnatan and I am part of the Small business Support community. First at all, you have to configure your vlan, you can create them using this documents:

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=78

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=1837

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3252

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=2193

After that, you have to create an ACL in order to provide internet access to one vlan and block it in the other vlans.

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=69

Remember set your device as a “Layer 3” device. I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

Cisco has a very useful tool called GuideMe, is made for small business products, and your device is in this category, you can use this address for accessing the tool: http://sbkb.cisco.com/CiscoSB/Loginr.aspx?alt1=&pid=4&eroute=Super , is very easy to use, just complete the 3 spaces on this way:

Select a category: (Select the device type on request), e.g. Switches

Enter model: (Type the model on request), e.g. Sg300

Question: (Type what you want to know about the device), e.g. Vlan configuration

And it'll be showing all the information you need about what you wrote.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

View solution in original post

jonatrod · ‎03-05-2013

Good morning

Hi Parth

I understand that you had connected in your switch the server and the router? If I am right, what you have to do is use the document I posted above, create the vlan and enable the routing mode (layer 3). you can also use the GuideMe this useful tool called GuideMe, is made for small business products, and your device is in this category, you can use this address for accessing the tool: http://sbkb.cisco.com/CiscoSB/Loginr.aspx?alt1=&pid=4&eroute=Super , is very easy to use, just complete the 3 spaces on this way:

Select a category: (Select the device type on request), e.g. Switches

Enter model: (Type the model on request), e.g. Sg300

Question: (Type what you want to know about the device), e.g. VLAN

And it'll be showing all the information you need about what you wrote.

I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

View solution in original post

jonatrod · ‎03-07-2013

Hi Part, as I told you, they don´t have that feature, however you can make an ACL to achieve similar results though.

Here an example, if you want to block cisco.com

ip access-list extended "break cisco" deny ip 192.168.100.124 0.0.0.0 72.163.4.161 0.0.0.0 permit ip any any

interface fastethernet1 service-acl input "break cisco"

fa1 is where my computer is located

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

"Example and information provided by Tom Watts"

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

View solution in original post

jonatrod · ‎03-12-2013

Hi Parth,

If you have configured just vlan 1 in your switch you could use as default gateway the router address (192.168.1.1) in your computers instead of the switch address, also disable the DHCP option in the switch, this because the router could provide them the addresses, if this doesn`t work, could you provide me your switch and router configuration?.I also recommend you to use the switch in layer 2 mode since there is no vlans, no point for l3 mode. I hope this solution works for you and many thanks for use our forum

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

View solution in original post

jonatrod · ‎02-28-2013

Good morning

Hi Parth, thanks for using our forum, my name is Johnnatan and I am part of the Small business Support community. First at all, you have to configure your vlan, you can create them using this documents:

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=78

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=1837

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3252

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=2193

After that, you have to create an ACL in order to provide internet access to one vlan and block it in the other vlans.

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=69

Remember set your device as a “Layer 3” device. I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

Cisco has a very useful tool called GuideMe, is made for small business products, and your device is in this category, you can use this address for accessing the tool: http://sbkb.cisco.com/CiscoSB/Loginr.aspx?alt1=&pid=4&eroute=Super , is very easy to use, just complete the 3 spaces on this way:

Select a category: (Select the device type on request), e.g. Switches

Enter model: (Type the model on request), e.g. Sg300

Question: (Type what you want to know about the device), e.g. Vlan configuration

And it'll be showing all the information you need about what you wrote.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

Parth Maniar · ‎03-01-2013

Thank you for the Answer Jonathan. I'll be going through the links and once I'm done I'll mark your response as an answer .. I hope thats okay..

Onto the link

It's Friday, Have a great Weekend

PS: I've to still go through the links but just to be sure, I hope that I will be able to provide access to particular ports to all VLAN's as the server needs to be accessable by all VLAN's.

Message was edited by: Parth Maniar. Added PS:*

jonatrod · ‎03-04-2013

Hi Parth, how was your weekend?

Did you resolve your issue? I encourage you to share with us your advance.

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

Parth Maniar · ‎03-05-2013

Dear Jonathan, weekend was busy and that is purely my fault since i'm a complete novice in Networking (including Cisco Products). I am positive you would have had better weekend then mine.

I have gone through the links you've provided but there is a correction in the scenario i've mentioned. There is an ethernet cable which is plugged in to a router (small, local provided by service provider). This router is the source to the internet.

So now the scenario is 2 VLAN's which should communicate to 2 different static IP's - 1 will be the server and 1 will the gateway (the internet link).

Can you help me with this?

Pardon me if I sound stupid but I'm learning.

Thank you in advance.

jonatrod · ‎03-05-2013

Good morning

Hi Parth

I understand that you had connected in your switch the server and the router? If I am right, what you have to do is use the document I posted above, create the vlan and enable the routing mode (layer 3). you can also use the GuideMe this useful tool called GuideMe, is made for small business products, and your device is in this category, you can use this address for accessing the tool: http://sbkb.cisco.com/CiscoSB/Loginr.aspx?alt1=&pid=4&eroute=Super , is very easy to use, just complete the 3 spaces on this way:

Select a category: (Select the device type on request), e.g. Switches

Enter model: (Type the model on request), e.g. Sg300

Question: (Type what you want to know about the device), e.g. VLAN

And it'll be showing all the information you need about what you wrote.

I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

Parth Maniar · ‎03-07-2013

Thank You very much Jonathan, I've used the GuideMe tool to successfully create a VLAN.(This is the article -

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=67844b99e2da4a7f88db0c588197487d_Creating_VLANs_on_Cisco_Managed_Switches.xml&pid=4&fcid=&fpid=&snid=)

Jonathan, i'm sorry to bother you again but can you now help me with creation rule(s) for the second part of my current

predicament.

1. Can i use the switch in L3 mode and connect it to another router provided by my ISP?

2. If so, how do i route internet access to particular ports?

3. Lastly if i want to restrict internet access in terms of URL's, Keywords, is it possible?

Thank you again, I will however be using the GuideMe tool too.. I'm sorry to ask for what will seem as spoonfeeding.

jonatrod · ‎03-07-2013

Hi Part, you can connect your switch to the router and have Internet access without any problem, what you need is to enable the DHCP option, you can see the configuration here, about the Internet restriction I think this switch doesn`t have that feature, I mean it can`t block using keywords, however I`m going to look for information about it then I will come back to answer you

I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

jonatrod · ‎03-07-2013

Hi Part, as I told you, they don´t have that feature, however you can make an ACL to achieve similar results though.

Here an example, if you want to block cisco.com

ip access-list extended "break cisco" deny ip 192.168.100.124 0.0.0.0 72.163.4.161 0.0.0.0 permit ip any any

interface fastethernet1 service-acl input "break cisco"

fa1 is where my computer is located

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

"Example and information provided by Tom Watts"

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

Parth Maniar · ‎03-12-2013

I'm having success using this method to block particular IP address. Thank You.

Parth Maniar · ‎03-12-2013

On a second installation with the same setup i'm having problem, providing internet access.

Switch (IN L3 MODE) is having IP Address - 192.168.1.254

Router connected to Port - G25 - is having IP Address - 192.168.1.1. This is a WiFi router provided by ISP which has 4 ethernet ports, I've connected one of the port's to the Cisco Switch (G25).

Machines have default gateway set to the switch (192.168.1.254)

Machines have default DNS set to a server (Microsoft Active Directory Server) . The server has been set to forward unknown request to - 192.168.1.1 (Server IP is 192.168.1.99).

There are NO VLAN's

However my problem is that I can't ping the router from the switch and vice-a-versa. The link port on the switch shows activity (green light).

Any idea what is wrong?

jonatrod · ‎03-12-2013

Hi Parth,

If you have configured just vlan 1 in your switch you could use as default gateway the router address (192.168.1.1) in your computers instead of the switch address, also disable the DHCP option in the switch, this because the router could provide them the addresses, if this doesn`t work, could you provide me your switch and router configuration?.I also recommend you to use the switch in layer 2 mode since there is no vlans, no point for l3 mode. I hope this solution works for you and many thanks for use our forum

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

Parth Maniar · ‎03-22-2013

Hey Jonathan, you're opinion was exactly what I needed. All my queries are solved ! . Thank you for all the help you've provided.