01-11-2019 04:29 AM - edited 03-08-2019 05:00 PM
I have a small network build in packet tracer for testing vlan's.
I created 4 Vlans, vlan 1, vlan 2 vlan 20 and vlan 99
vlan 1 and 2 are used for client computers, vlan 20 for a web and DNS server and vlan 99 vor a MGMT computer to have an ssh connection to switch 1. (Don't mind switch 2)
No is it possible to having all the vlan communicating with vlan 20 to acces all te servers, but the can't have communication with eachother., They just need access to the server.
I choose a main network to be 192.168.0.0 /16 the all have a netmask of 255.255.0.0
Solved! Go to Solution.
01-11-2019 05:44 AM
Hello,
attached the revised version. A router with subinterfaces has been added, one for each VLAN. The concept is called router-on-a-stick. I also changed the IP address of the DNS server to 192.168.20.200 (you had 192.168.5.200 configured). Also, I set FastEthernet0/8 on the switch, the interface connecting to the router, to a trunk port. And last but not least, I added DHCP pools for each VLAN on the router, so if you want, you can set all PCs to DHCP...
01-11-2019 04:36 AM
Hello,
your VLANs cannot commmunicate without a layer 3 (router) device. On the router, you can use access lists to restrict inter Vlan access.
Post the Packet Tracer project file (zip it first otherwise you cannot upload) so we can configure this and show you how to do it...
01-11-2019 04:48 AM
01-11-2019 05:44 AM
Hello,
attached the revised version. A router with subinterfaces has been added, one for each VLAN. The concept is called router-on-a-stick. I also changed the IP address of the DNS server to 192.168.20.200 (you had 192.168.5.200 configured). Also, I set FastEthernet0/8 on the switch, the interface connecting to the router, to a trunk port. And last but not least, I added DHCP pools for each VLAN on the router, so if you want, you can set all PCs to DHCP...
01-11-2019 05:51 AM
really thx for help explaining it to me, really helped, just gonna review the PT file and see if i can recreate this.
thanks again
01-11-2019 06:33 AM
Hello,
I just noted I forgot the access list, which is what your original post was about. Will add them...
01-11-2019 06:43 AM
Hello,
here is the router config with the access lists required and applied to the subinterfaces to allow access only to VLAN 20 (additions marked in bold):
Building configuration...
Current configuration : 1835 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.100
ip dhcp excluded-address 192.168.20.200
ip dhcp excluded-address 192.168.99.1
ip dhcp excluded-address 192.168.99.100
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.20.200
ip dhcp pool VLAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.20.200
ip dhcp pool VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 192.168.20.200
ip dhcp pool VLAN99
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 192.168.20.200
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface FastEthernet0/0.99
encapsulation dot1Q 99 native
ip address 192.168.99.1 255.255.255.0
ip access-group 199 in
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 199 permit ip 192.168.99.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 199 permit ip 192.168.20.0 0.0.0.255 192.168.99.0 0.0.0.255
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
01-11-2019 04:41 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide