Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1208
Views
0
Helpful
4
Replies

Create seperate network off a LAN

Go to solution
Steve Coady
Level 1
Level 1

‎07-13-2015 09:15 AM - edited ‎03-08-2019 12:57 AM

Hello

 

I have a site with a router and switch using 10. addresses.

I have another business partner moving into the same office

I have a Cisco 891.

 

I have been tasked with creating a private network behind this other network. (A temporary solution)

I need to keep the new network traffic completely separate from existing Production. However, the new network will use the same WAN link as existing Production network.

 

I plan on using the subnet 192.168.78.x/24 as this is not currently on existing Production network

ip dhcp excluded-address 192.168.78.1 192.168.78.59
ip dhcp excluded-address 192.168.78.240 192.168.78.255
!
ip dhcp pool 192.168.78.1 255.255.255.0
 default-router 192.168.78.1
 dns-server 8.8.8.8

 

interface Vlan110
 description DATA
 ip address 192.168.78.1 255.255.255.0
 no ip redirects
 no ip proxy-arp

 

I will use an acl to deny traffic from exiting Production network into new network

object-group network InternalNets
 10.0.0.0 255.0.0.0
 170.x.0.0 255.255.0.0

 

The switch i will connect to is a 3750

The vlan on that switch is 10.x.101.x/24 - this subnet is created on Production DHCP server. The addresses 10.x.101.1 - 59 are excluded from DHCP service.

 

I believe I will need to NAT the 192.168.78.x addresses to one of the 10.x.101 to be routable thru the current Prod network.

 

I am a little lost on correct config to accomplish this. Please review and advise.

 

See diagram

sMc
Labels:
Preview file
117 KB
Preview file
11 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dukenuk96
Level 3
Level 3
In response to Steve Coady

‎07-15-2015 08:03 AM

Ok, I see.

You configured new subnet 192.168.78.x on 891 router. Next make this network routable using some IGP or static routes. I would not use NAT in this case, simply apply outbound ACL on interface VLAN 110 on 891 router in the order:

1. Permit any traffic to specific networks where users of 192.168.78.x network are intended to have access (maybe there will be several statements)

2. Deny any other IP traffic

View solution in original post

0 Helpful
4 Replies 4

Go to solution
dukenuk96
Level 3
Level 3

‎07-15-2015 02:48 AM

You wrote:

I have been tasked with creating a private network behind this other network. (A temporary solution)

I need to keep the new network traffic completely separate from existing Production. However, the new network will use the same WAN link as existing Production network.

And then:

I believe I will need to NAT the 192.168.78.x addresses to one of the 10.x.101 to be routable thru the current Prod network.

These conditions are contradictory. Before giving some advise, let's clear a few things:

1. You configured this on your 891 router:
 

interface Vlan110
 description Sang_Menard DATA
 ip address 192.168.78.1 255.255.255.0

but where is 10.x.x.x network? And where do you want place users for new 192.168.78.x network?

2. You want to use same WAN link for new network as current production newtork - where is this WAN link located? It is unclear forn you configuration and diagram. By the way, be careful when you attach device's configs - you shared your IPSec private key.

3. There are two 3845 routers on your diagram - what they are used for?

Make your diagram more clear - add IP addresses and interfaces and where exactly they are configured, plus add 3750 and 3845s configurations.

0 Helpful

Go to solution
Steve Coady
Level 1
Level 1
In response to dukenuk96

‎07-15-2015 07:48 AM

Dukenuk96

 

Thank you for the response.

Will be more careful next time with config. That VPN config will not be used anyway.

The 3750 and 3845 are Production devices so I do not want to add their configs to a forum.

 

The ip addresses shown are next to the device they are configured on.

The 10.0 network is located on the current Production switch (10.x.101.x/24

I think I will need to create a new subnet and borrow the 10.0.x.254/30 for the L3 link from the switch to the 891.

 

The (2) 3845 routers are used as WAN routers from the remote site back to HE.

The user's will be placed off the 891 router. It is an 8 port device with POE.

 

sMc
0 Helpful

Go to solution
dukenuk96
Level 3
Level 3
In response to Steve Coady

‎07-15-2015 08:03 AM

Ok, I see.

You configured new subnet 192.168.78.x on 891 router. Next make this network routable using some IGP or static routes. I would not use NAT in this case, simply apply outbound ACL on interface VLAN 110 on 891 router in the order:

1. Permit any traffic to specific networks where users of 192.168.78.x network are intended to have access (maybe there will be several statements)

2. Deny any other IP traffic

0 Helpful

Go to solution
Steve Coady
Level 1
Level 1
In response to dukenuk96

‎07-16-2015 07:38 AM

Dukenuk

 

Thank you for your guidance

sMc
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card