Solved

CISCO VLAN's Router On A Stick Method

Posted on 2011-03-23
6
489 Views
Last Modified: 2013-12-09
Hi Guys,

I have just started looking into CISCO and the first thing that I would like to achieve is VLANS. I have found all the commands to do what I want to do when I config the switch through the console port, but it seems that CISCO have changed some of the commands since one of the youtube vids I was watching.

What I want to be able to do is setup VLAN 1, 2 and 3 lets say:

I want to stop VLAN 1 and 2 talking to each other but would like them to be able to see and talk to VLAN 3.

I have managed to look up Router on a stick which is very similiar to what I am trying to achieve but most of the tutorials allow VLAN 1 and 2 to talk between each other.

I was wondering maybe if someone knew all the commands I needed to get this up and running?

Thanks in advance
0
Comment
Question by:dan4132
6 Comments
 
LVL 4

Accepted Solution

by:
m_walker earned 167 total points
ID: 35197679
By default all vlans will be able to see each other.  You have three choices.
1. User an external firewall and use those ACLs (could be an over kill and slow things down a little)
2. Policy Based Routing - where acls are used to allow packets to go between vlans
3. VRF and limit routing tables (and ensue you dont use you common vlan as the default gateway else the other 2 will route via the common one.

I dont have a quick example of PBR but it should be the simplest.  I generally find the PBR is slow and use a firewall (as simple linux box with ip tables was faster then my 3750E PBR setup.  My ACS firewall as faster then PBR.

VRF is good, but wont work if you need to route via the common vlan to the net.
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 167 total points
ID: 35197733
you can use access list to block traffic between VLAN 1 & VLAN 2. what cisco router are you using? and what switch? I'll be glad to help you out on the config.
0
 
LVL 3

Author Comment

by:dan4132
ID: 35197944
Hey Guys,

Thanks very much for your input. So I guess ACL's is the way forward with this.

I have:
1 x Cisco Catalyst 3550 Switch (I mainly use this one over the 2950)
1 x 2950 Switch
1 x 2621 Router

Any help would be appreciated :)

Thanks

0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 166 total points
ID: 35202724
If you're doing router-on-a-stick just put an ACL on each interface.

Something like this (off the top of my head)...

interface fa0/0.1
encapsulation dot1q 1
ip address 192.168.1.1 255.255.255.0
ip access-class 101 in
!
interface fa0/0.2
encapsulation dot1q 2
ip address 192.168.2.1 255.255.255.0
ip access-class 101 in
!
interface fa0/0.3
encapsulation dot1q 3
ip address 192.168.3.1 255.255.255.0
ip access-class 101 in
!
access-list 101 deny ip 192.168.1.0.0.0.0.255 192.168.2.0 0.0.0.255       (Blocks access from Vlan1 to Vlan2)
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255       (Blocks access from Vlan2 to Vlan1)
access-list 101 permit ip any any                                                               (Allows everything else)
0
 
LVL 3

Author Comment

by:dan4132
ID: 35473706
Will Close
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port 808 is being blocked 9 96
Unifi AP 4 72
DHCP Server 14 85
How can I find which network appliance is acting as our gateway with the IP address? 4 49
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now