Solved: Re: Is this possible to do ?

Levi_Lenaers · ‎01-11-2019

I have a small network build in packet tracer for testing vlan's.

I created 4 Vlans, vlan 1, vlan 2 vlan 20 and vlan 99

vlan 1 and 2 are used for client computers, vlan 20 for a web and DNS server and vlan 99 vor a MGMT computer to have an ssh connection to switch 1. (Don't mind switch 2)

No is it possible to having all the vlan communicating with vlan 20 to acces all te servers, but the can't have communication with eachother., They just need access to the server.

I choose a main network to be 192.168.0.0 /16 the all have a netmask of 255.255.0.0

Georg Pauwen · ‎01-11-2019

Hello,

attached the revised version. A router with subinterfaces has been added, one for each VLAN. The concept is called router-on-a-stick. I also changed the IP address of the DNS server to 192.168.20.200 (you had 192.168.5.200 configured). Also, I set FastEthernet0/8 on the switch, the interface connecting to the router, to a trunk port. And last but not least, I added DHCP pools for each VLAN on the router, so if you want, you can set all PCs to DHCP...

View solution in original post

Georg Pauwen · ‎01-11-2019

Hello,

your VLANs cannot commmunicate without a layer 3 (router) device. On the router, you can use access lists to restrict inter Vlan access.

Post the Packet Tracer project file (zip it first otherwise you cannot upload) so we can configure this and show you how to do it...

Levi_Lenaers · ‎01-11-2019

ah oke :)

also made a textbox with the commands i used to set the vlans

Georg Pauwen · ‎01-11-2019

Hello,

attached the revised version. A router with subinterfaces has been added, one for each VLAN. The concept is called router-on-a-stick. I also changed the IP address of the DNS server to 192.168.20.200 (you had 192.168.5.200 configured). Also, I set FastEthernet0/8 on the switch, the interface connecting to the router, to a trunk port. And last but not least, I added DHCP pools for each VLAN on the router, so if you want, you can set all PCs to DHCP...

Levi_Lenaers · ‎01-11-2019

really thx for help explaining it to me, really helped, just gonna review the PT file and see if i can recreate this.

thanks again

Georg Pauwen · ‎01-11-2019

Hello,

I just noted I forgot the access list, which is what your original post was about. Will add them...

Georg Pauwen · ‎01-11-2019

Hello,

here is the router config with the access lists required and applied to the subinterfaces to allow access only to VLAN 20 (additions marked in bold):

Building configuration...

Current configuration : 1835 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.100
ip dhcp excluded-address 192.168.20.200
ip dhcp excluded-address 192.168.99.1
ip dhcp excluded-address 192.168.99.100
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.20.200
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.20.200
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 192.168.20.200
ip dhcp pool VLAN99
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 192.168.20.200
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface FastEthernet0/0.99
encapsulation dot1Q 99 native
ip address 192.168.99.1 255.255.255.0
ip access-group 199 in
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 199 permit ip 192.168.99.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 199 permit ip 192.168.20.0 0.0.0.255 192.168.99.0 0.0.0.255
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

vivek srivastava · ‎01-11-2019

Many ways possible and dependent on you design / infra / hardware. Few options are:

-> Use ACL
-> Use FW between VLAN and traffic filtering/blocking/allowing
-> Use VRF
-> Use Private VLAN