Creating a VLAN and isolating a PC on the network

mandavikas · ‎02-13-2013

Hello Cisco Community,

I was given a task of creating a vlan and isolating one pc to access an internal website (192.168.90.15) on a specific port (port 8080)

The pc is connected in the following manner:

PC--> HP Switch --> Cisco Small Business SG200 switch --> 3550 Catalyst 1, 3550 Catalyst 2 and 3550 Catalyst 3.

I have created a vlan 110 on the Main 3550 Catalyst switch and successfully added the pc to that vlan.

However, that PC must be able to access the internet and an internal website on port 8080.

I have placed an access-list on the main 3550 catalyst switch which is connected to our router as below:

Client ip address: 192.168.100.2

VLAN 110: 192.168.100.3

access-list 110 permit tcp host 192.168.100.2 host 192.168.90.15 eq 8080
access-list 110 permit icmp host 192.168.100.2 any
access-list 110 deny ip 192.168.100.0 0.0.0.255 any

I was unable to access the webserver even after many attempts.

I know I am definitely missing something here and I would greatly appreciate it if anybody can shed some light on this.

Thank you in advance for reading this!

Regards,

Vik

shamax_1983 · ‎02-13-2013

Hi Vikas,

For this to work you should have VLANs created in all switches along the way up to the main 3550 switch. On HP switches make sure you tag the ports with the VLAN 110 ( ports that are connected to other switches ) and untag the port with vlan 110 you use to connect the PC.

I assume you have created a SVI for VLAN 110 on your switch ( VLAN interface ) and configured the IP address on the SVI ( I believe it is 192.168.100.3 ). The Access list you mentioned should be applied inbound on the SVI.

Make sure you can ping your gateway IP ( the SVI IP you assigned ).

If you can ping the Gateway IP, that means your VLAN settings are all good. If not you should look in to your VLAN settings in each VLAN, also make sure the IP/Subnet-Mask is correct.

If all good,

Make sure the internal webhost knows the return path to the new subnet ( If the Webhost's subnet is a directly connected subnet to the same core switch (3550) this shouldn't be s problem. if not, make sure each router has a return route to the new subnet )

Also make sure nothing (ACLs) is blocking the return traffic.

Let me know how you go..

Please don't forget to mark/rate helpful posts.

--

Shamal

mandavikas · ‎02-17-2013

Shamal,

Thank you for the prompt response. Due to being sick I was unable to follow up on this post and have not tried creating the VLAN.

Could you please walk me through step by step on how to tag the ports with VLAN 110 on the HP switch?

I made sure the PC connected to the HP switch is untagged.

I can ping my default gateway IP which is 192.168.90.1 successfully. Do I have to set a default gateway for vlan 110?

I have created a VLAN 110 on the Core Switch (3550) with the following configuration:

interface Vlan110
ip address 192.168.100.3 255.255.255.0
ip access-group 110 in

access-list 110 permit tcp host 192.168.100.2 host 192.168.90.15 eq 8080
access-list 110 permit icmp host 192.168.100.2 any
access-list 110 deny ip 192.168.100.0 0.0.0.255 any

The remaining two 3550 switches show VLAN 110 as active when I use command show vlan.

Do I have to create SVI on all the 3550 switches? As I did not find vlan 110 information on running config for the other 3550 switches.

I do not have any networking experience in real world and have achieved CCNA about 7 months ago, but did not do anything related to networking until recently. I need to brush up on the basics again.

I would really appreciate it if you could help me out with this.

Thanks once again!

Vikas