vlans....

[hellboy101]

Hello all-

Happy holidays if I forget to mention it at the close of this message.

We have a Windows/cisco shop. Our Cisco 3550 is basically our DMZ switch. Currently ports 1 thru 6 are set to vlan 2, ports 7 thru 20 are in switch mode dynamic desirable and from 21 to 24 back to vlan 2 again.. I'd like to establish a vlan3 for a distinct number of ports.. say 7 to 12 for a group of consultants that will need access to a few servers.. how does this essentially work, can I segregate their ports via this vlan3? any tips on proper creation and potential short explanation on how I can segregate their port assignment to this distinct server?

thanks for any information provided.
hb101

 

[vipergg]

You can create a separate vlan for these consultants , if you do this then the servers will need to be in the same vlan otherwise you will have to route from the consultant vlan to wherever the servers are located . If the servers are not in the same vlan then you will have to route and then apply extended ACL's to the layer 3 SVI to deny these guys from going anywhere else but to the server addresses if this is what you are looking to do .

 

[hellboy101]

Hello Vipergg,

Yes this is exactly what I was looking for.. your entirely on the same page with what I'm trying to accomplish here. These servers amy need to be accessed by others internal users for other purposes which would complicate things even more so but let's just say that this weren't the case.

So I create a vlan and based on which ports these consultants are ported to, I'll add those ports to the vlan. What if the server is on a different switch/vlan, you mentioned extended ACL's. Can you give me an actual example of what's needed to design this since I feel this will be the case. I believe I'll need to route them to these servers and deny them any other server addresses..

Thanks for any additional info you can provide..

hb101

 

[vipergg]

On the 3550 you need to create a layer 3 SVI with whatever address range you want to use . There is only 1 statement needed in the acl for this because there is an implicit deny all at the end of the acl by default so they can only go to the one server address.If they needed to go to other addresses then additional statements would be needed. As an example

Server address 192.168.1.25 255.255.255.0
Client address 192.168.3.10 255.255.255.0

conf t
int vlan 3
description client subnet
ip address 192.168.3.254 255.255.255.0
ip access-group 101 in


int vlan 1
description Server subnet
ip address 192.168.1.254 255.255.255.0


access-list 101 permit ip host 192.168.3.10 host 192.168.1.25

 

[hellboy101]

Thank you viper!

I truly appreciate your detailed information and wish you happy holidays!

I'll let you know what comes out of this!

hb101

 

[hellboy101]

Hi vipergg-

I forgot to question this:

On this 3550, how can I move ports that are currently on vlan2 onto vlan3 (same switch)

Thanks again! for any support at all!

hb101

 

[vipergg]

Go into each interface and just change the statement "switchport access vlan 2" to switchport access vlan 3"

 

[hellboy101]

Hi vipergg-

i'm trying to get a connection on my 3550 cisco switch for port #4 but am not able to make it happen. the port is in vlan2 and I get in the interface on the switch and issue a "no shutdown" command.. when i do a "sho int fa0/4" i receive at the top FastEthernet0/4 is down, line protocol is down (notconnect).. how can I make this port "active"

any ideas?

thx alot
hb101

 

[vipergg]

Means you have no physical connection to whatever device you are trying to hook this port to . Make sure you are using a straight thru to a client pc .

 

[hellboy101]

what if you've checked the cat6 cables and you know they are straight thru.. is there any type of cisco command to essentially force this port in "up" mode.

i keep getting this on port 8, others too..

______________________________________________________

DMZ_3550#sho int fa0/08
FastEthernet0/8 is down, line protocol is down (notconnect)
Hardware is Fast Ethernet, address is 000f.3410.a588 (bia 000f.3410.a588)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo

 

[vipergg]

you shouldn't have to force it up if it is working correctly, there is no way to do this anyway. What are you trying to hook into it ? If its just a client , check the nic setting and make sure it is hardcoded to 100/full because that is the way the switchport is set ,don't leave it as auto or change the switchport to auto if the nic is auto . If you don't get a link light with a straight thru cable to a client pc then you have a physical layer issue . Also try a different switchport which you probbably already did .

 

[hellboy101]

Hello vipergg-

Just a quick one i'm sure you can point me in the right direction.

my vlan2 on my 3550 has an IP address of 172.17.79.10, I'd like to make vlan3 active and thought I could give it an IP address of 172.17.79.11 but apparently there is an "overall from vlan2" as the message dictates.. what are my choices in subnet ranges? this switch is my dmz switch and can go up a range to 172.18.x.x if necessary for this vlan to become effective..

any ideas?

thank you and have a safe New Year

hb101

 

[vipergg]

You can't put an address from the same ip address range on 2 different SVI's . The address you use depends on what masking you are using . What are using for a mask on the current ranges ???

 

[hellboy101]

Hi vipergg,

yes, the mask is /16 across the board..

thx!
hb101

 

[vipergg]

You should be able to use the .18 range as you suggested . Not sure why you need to have subnets so large but that's up to you .