cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18119
Views
10
Helpful
20
Replies

Making 2 VLANs talk to 1 server

danoldenkamp
Level 1
Level 1

I have two VLANs each with a different subnet.

We'll call them VLAN A on 192.198.0.1 and VLAN B on 192.168.16.1.

We have to maintain the network isolation for PCI (Credit Card compliance), but I have a server on VLAN A, 192.168.0.45 that computers on both VLANs need to access.

My infrastructure is three switches in series with trunking ports configured. There is a gateway for VLAN A and a separate gateway for VLAN B each to a separate router and T1 connection.

The switches are managed switches and IP routing is enabled. 

Is there a way to make both VLANs communicate with 192.168.0.45?

Do I have to put both VLANs on the 192.168.0.1 subnet and just isolate by VLAN?

Is there a way to make the two VLANs communicate?

Do I need to add a static route on the switches to 192.168.045 or set the switch port that 192.168.0.45 is on as a trunk port?

This isn't my area of expertise, small business I wear a lot of hats, so any help is greatly appreciated.

20 Replies 20

pompeychimes
Level 4
Level 4

Do you have a diagram? I'm not getting an accurate picture of the network from your description.

Thanks,

James

jimmysands73_2
Level 5
Level 5

Also included in the topo what are the make/model of switches?

The customer service vlan was 192.168.16.1 but I think I need to set it also to 192.168.0.1 to talk to server in the middle.

Yes, I know these are Adtran boxes and this is a Cisco forum but the IOS is about the same and the Cisco forum is much more active.

I am trying to maintain the VLAN isolation, except get everybody to talk to that 1 server.

I can give you the whole topological map, but it is more convoluted.

I have trunking enabled on the ports that link between switches.

I had customerservice on 192.168.16.1 subnet which is how I got them to go to the Adtran Netvana 3200 router instead of the Adtran Total Access router.

Ohh pretty.

Are all the networks using a /24 mask. If not what are they using?

Where is the default gateway for each vlan? Is it an on the switches (SVI or routed port) or is it the inside interface of each Adtran?

James

I don't know why the switches were on a 10.10.10.1 the computers on VLAN 1 are on 192.168.0.1 but able to route just fine.

Originally I was going to have VLAN 1 on 192.168.0.1

and VLAN 2 on 192.168.16.1 but to get them both to talk to 192.168.0.45 I thought I might have to put both VLANs on ip address 192.168.0.1 /24.

However, it will not let me configure them both the same.

Here is the config file:

!

interface vlan 1

  ip address  10.10.10.1  255.255.255.0

  ip address  209.253.81.1  255.255.255.248  secondary

  no ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.1  255.255.255.0

  no ip route-cache

  no ip route-cache express

  no shutdown

!

!

!

no ip tftp server

no ip tftp server overwrite

ip http server

ip http secure-server

no ip snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

=-=-==-=and on switch2

!

!

interface vlan 1

  ip address  10.10.10.2  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.1  255.255.255.0

  no ip route-cache express

  no shutdown

!

!

!

=-=-=-=--=-=Switch3

!

!

interface vlan 1

  ip address  10.10.10.3  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.1  255.255.255.0

  no ip route-cache express

  no shutdown

!

!

Dan

Trying to put both VLANs on 192.168.0.1 would create a big mess and would not really work if you need to maintain separation between the VLANs. I strongly suggest that you not try to do this.

If there are two separate VLANs then there need to be two separate subnets. And if PCs in the second VLAN/subnet need to access a server in the first VLAN/subnet then the answer should be some device that can route between the subnets. On the device that routes between the subnets you should be able to configure access controls so that the second VLAN/subnet and access only the server and no other devices in the first subnet.

HTH

Rick

HTH

Rick

It looks like the DFG for VLAN 1 is the Router and the DFG for VLAN 2 is the Switch. I would move the DFG for VLAN 1 to the switch also. This will take care of the routing.

You also have duplicate SVI's for VLAN 2 on each of the switches. SVI's for both VLAN's should be on one switch only unless you plan on using some version of first hop redundancy.

James

DFG = Default Gateway?

SVI = Switched Virtual Interface

Are you suggesting I configure the switches like this:

SW1:

interface vlan 1

  ip address  192.168.0.251  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.251  255.255.255.0

  no ip route-cache express

  no shutdown

SW2:

interface vlan 1

  ip address  192.168.0.252  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.252  255.255.255.0

  no ip route-cache express

  no shutdown

SW3:

interface vlan 1

  ip address  192.168.0.253  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.253  255.255.255.0

  no ip route-cache express

  no shutdown

I guess I am confused, is the interface vlan > ip address the GateWay or the switch login address.

What kind of device to route between the subnets?

Can I used the managed switches?

Do you suggest I ensure IP routing is enabled on the switches and create a static route to 192.168.0.45 somehow?

DFG = Default Gateway? Correct

SVI = Switched Virtual Interface Correct

You have two networks VLAN 1 / 192.168.0/24 and VLAN 2 / 192.168.16.0/24.

To route between them you need a layer 3 device. You stated in your orginal post that you enabled routing on the switches meaning they are layer 3 devices. You need one layer 3 interface (SVI) for each network. Configure these layer 3 interfaces on one switch. Other than for mgmt purposes you don't need layer 3 interfaces on the other 2 switches. They are essentially layer 2 switches.

I'm suggesting you configure your switches like this...

SW1:

interface vlan 1 (SVI for VLAN 1 and can be used for Mgmt also)

  ip address  192.168.0.251  255.255.255.0 (This will be the DFG for devices on VLAN 1)

  ip route-cache express

  no shutdown

!

interface vlan 2 (SVI for VLAN 1 and can be used for Mgmt also)

  ip address  192.168.16.251  255.255.255.0 (This will be the DFG for devices on VLAN 2)

  no ip route-cache express

  no shutdown

SW2:

interface vlan 1 (Mgmt only)

  ip address  192.168.0.252  255.255.255.0

  ip route-cache express

  no shutdown

!

SW3:

interface vlan 1 (Mgmt only)

  ip address  192.168.0.253  255.255.255.0

  ip route-cache express

  no shutdown

!

Make sure your interswitch links are trunks

Make sure you have routes on SW1 to route non local traffic to the Adtran Routers

James

Great.

So I don't want to route between 192.168.0.1 and 192.168.16.1.  (the whole network)

I only want to route between 192.168.16.1 and 192.168.0.45. (just the one server)

Is there a way to configure a route on switch 1 from 192.168.16.1 subnet to 192.168.0.45 server on port 20?

The Default Gateway for both subnets and the .45 server are on Swith1 so I shouldn't have to worry about traffic on the other two switches.

A specific route isn't necessary. If ip routing is enabled and both SVI's are on switch one then intervlan routing will work. At this point you'd want to use a security mechanisim (VACL's, PVLAN's, FW, etc...) to control who can talk to who.

Where the DFG's always on switch one or are they there because of my suggestion above. If the latter where were the DFG's before? I believe I previoulsy suggested one DFG was on a switch and the other on a Router.

Also, just to confirm what IP address is being used as the DFG on each VLAN?

James

pjmonline
Level 1
Level 1

What if you created a new vlan for the server and let both of the other vlans talk to the server and disallow vlan 1 and vlan 2 from talking to each other with an acl. In my option this is easier than acl to open up traffic to server in current vlan setup.

Sent from Cisco Technical Support iPhone App

Paul

I think that this is an excellent suggestion. So +5 for you

I have been focused on trying to find solutions within the parameters/limitations given by Dan. But you have looked at possibilities outside of this and I believe that you have proposed a better solution. If both VLANs/subnets must remain isolated from each other and if there is a single resource that should be accessible from both then it is a better solution to put that resource in another VLAN.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco