VLANs
We have the following current setup.
1 flat network
Need 12 specific ports in VLAN 15 and only internet access on LAN
IP range 10.33.0.0/21
DHCP - Windows server 10.33.1.60
POOL - 10.33.6.1-10.33.6.254
DNS - 10.33.1.60
GW - 10.33.0.254
Cisco 4507 - 10.33.0.25
Have setup VLAN 15 and assign a port to it, when I do I lose network connectivity. Tried to build another DHCP pool on the 4507, but when I add the network 10.33.7.0 255.255.248.0, it puts the entire subnet 10.33.0.0, which is already on Windows server.
What I thought would happen is it would add just the 10.33.7.0 subnet and I could assign the ports to it and they can use this pool and existing gateway.
What am I not understanding or missing or other options?
Regards
1 flat network
Need 12 specific ports in VLAN 15 and only internet access on LAN
IP range 10.33.0.0/21
DHCP - Windows server 10.33.1.60
POOL - 10.33.6.1-10.33.6.254
DNS - 10.33.1.60
GW - 10.33.0.254
Cisco 4507 - 10.33.0.25
Have setup VLAN 15 and assign a port to it, when I do I lose network connectivity. Tried to build another DHCP pool on the 4507, but when I add the network 10.33.7.0 255.255.248.0, it puts the entire subnet 10.33.0.0, which is already on Windows server.
What I thought would happen is it would add just the 10.33.7.0 subnet and I could assign the ports to it and they can use this pool and existing gateway.
What am I not understanding or missing or other options?
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You're welcome
No one is perfect.
All the best
No one is perfect.
All the best
ASKER
Akinsd: that didn't work, because the Gateway is on /21 subnet, so can't find a GW and still not getting an IP from the Pool.
Post your config
If the gateway is /21 as you mentioned, then 10.33.7.0 is already part of that subnet.
Just extend your pool
POOL - 10.33.6.1-10.33.7.254
GW - 10.33.0.254
If the gateway is /21 as you mentioned, then 10.33.7.0 is already part of that subnet.
Just extend your pool
POOL - 10.33.6.1-10.33.7.254
GW - 10.33.0.254
ASKER
Akinsd: here is some of it....
!
ip dhcp pool FDR
network 10.33.7.0 255.255.255.0
default-router 10.33.0.254
dns-server 10.33.1.60
!
Can't add the IP 10.33.7.1 255.255.255.0 to the VLAN interface because it overlaps
(config-if)#ip address 10.33.7.1 255.255.255.0
10.33.7.0 overlaps with Vlan1
!
ip dhcp pool FDR
network 10.33.7.0 255.255.255.0
default-router 10.33.0.254
dns-server 10.33.1.60
!
Can't add the IP 10.33.7.1 255.255.255.0 to the VLAN interface because it overlaps
(config-if)#ip address 10.33.7.1 255.255.255.0
10.33.7.0 overlaps with Vlan1
Exactly
To create a vlan 15 with a subnet of 10.33.7.0, you will need to change vlan 1 to a /22, but then that will shrink your range to 10.33.0.0 - 10.33.3.255 for vlan 1
Your alternative is to use 10.33.8.0 instead
The GW for 10.33.7.0 with your current configuration is
GW - 10.33.0.254
The /21 range is
10.33.0.0 - 10.33.7.255
This means, every IP within the range is already part of vlan 1
To create a vlan 15 with a subnet of 10.33.7.0, you will need to change vlan 1 to a /22, but then that will shrink your range to 10.33.0.0 - 10.33.3.255 for vlan 1
Your alternative is to use 10.33.8.0 instead
The GW for 10.33.7.0 with your current configuration is
GW - 10.33.0.254
The /21 range is
10.33.0.0 - 10.33.7.255
This means, every IP within the range is already part of vlan 1
ASKER
To create a vlan 15 with a subnet of 10.33.7.0, you will need to change vlan 1 to a /22, but then that will shrink your range to 10.33.0.0 - 10.33.3.255 can't do this
Your alternative is to use 10.33.8.0 instead .......How can I use 10.33.8.0 and go out 10.33.0.254, still different subnets.
Your alternative is to use 10.33.8.0 instead .......How can I use 10.33.8.0 and go out 10.33.0.254, still different subnets.
That's if you want to create a new vlan 15 like you stated.
10.33.8.0 can not go out from 10.33.0.254.
I need to understand your reason for creating vlan 15
Do you know why the 7 range is not part of the DHCP pool
10.33.8.0 can not go out from 10.33.0.254.
I need to understand your reason for creating vlan 15
Do you know why the 7 range is not part of the DHCP pool
ASKER
We've moved 8 people in a room and they are on our LAN. They are connected to our network, but are here temporarily. For security I was going to segment the ports they are on, to just have internet access.
The pool was created before I got here and is on a Windows server, which they don't authenticate to and if I add that pool and my other LAN users get an IP from that range, I'll have a mess.
The pool was created before I got here and is on a Windows server, which they don't authenticate to and if I add that pool and my other LAN users get an IP from that range, I'll have a mess.
Ok
Nothing in the IP range is usable then based on your explanation.
It makes sense to create another vlan but that can't include anything in the .7.0 range
On your 4507 create another interface (SVI)
interface vlan 15
IP address 10.33.8.254 255.255.255.0
ip helper-address 10.33.1.60
On your DHCP server
Create a new scope for vlan 15
POOL - 10.33.8.1-10.33.8.253
DNS - 10.33.1.60
GW - 10.33.8.254
Then create an access list that blocks traffic from .8 range to any ip in vlan 1
Nothing in the IP range is usable then based on your explanation.
It makes sense to create another vlan but that can't include anything in the .7.0 range
On your 4507 create another interface (SVI)
interface vlan 15
IP address 10.33.8.254 255.255.255.0
ip helper-address 10.33.1.60
On your DHCP server
Create a new scope for vlan 15
POOL - 10.33.8.1-10.33.8.253
DNS - 10.33.1.60
GW - 10.33.8.254
Then create an access list that blocks traffic from .8 range to any ip in vlan 1
ASKER
If DNS is on /21, it will not be seen by this new subnet, as it would be /24 correct?
"Then create an access list that blocks traffic from .8 range to any ip in vlan 1" This will be difficult to do, since the DNS server is on a different subnet. Unless I turn on DNS on the switch, which may cause more headaches.
"Then create an access list that blocks traffic from .8 range to any ip in vlan 1" This will be difficult to do, since the DNS server is on a different subnet. Unless I turn on DNS on the switch, which may cause more headaches.
You can permit traffic to the 10.33.1.60 in the ACL or use publicly available ones
POOL - 10.33.8.1-10.33.8.253
DNS - 8.8.8.8, 4.2.2.2
GW - 10.33.8.254
POOL - 10.33.8.1-10.33.8.253
DNS - 8.8.8.8, 4.2.2.2
GW - 10.33.8.254
ASKER
Can I use an external DNS IP address as a help address?
Do I need to add a ip route 0.0.0.0 0.0.0.0 10.33.8.254 too or will this screw with my existing route?
Do I need to add a ip route 0.0.0.0 0.0.0.0 10.33.8.254 too or will this screw with my existing route?
No
The IP Helper address is to let the DHCP server know which vlan the DHCP request is coming from and assign IP appropriately
The IP Helper address is to let the DHCP server know which vlan the DHCP request is coming from and assign IP appropriately
ASKER
Ok, I so do I use the IP I assigned to VLAN 15? Getting IPs now, just no route out. I'm guessing I need the IP route statement?
show ip route
show ip int brief
If the SVI for vlan 1 and vlan 15 are on the same 4507, a route is not needed as they are connected.
Run and post the 2 commands above 1st, and I'll let you know
show ip int brief
If the SVI for vlan 1 and vlan 15 are on the same 4507, a route is not needed as they are connected.
Run and post the 2 commands above 1st, and I'll let you know
ASKER
Gateway of last resort is 10.33.0.254 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.33.8.0/24 is directly connected, Vlan15
C 10.33.0.0/21 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 10.33.0.254
7#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.33.0.25 YES NVRAM up up
Vlan15 10.33.8.254 YES manual up up
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.33.8.0/24 is directly connected, Vlan15
C 10.33.0.0/21 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 10.33.0.254
7#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.33.0.25 YES NVRAM up up
Vlan15 10.33.8.254 YES manual up up
What is the 4507 connected to?
That is where you'll need a route to be added
ip route 10.33.8.0 255.255.255.0 10.33.0.254
That is where you'll need a route to be added
ip route 10.33.8.0 255.255.255.0 10.33.0.254
ASKER
didn't work....10.33.0.254 is on the /21 subnet
interface Vlan1
ip address 10.33.0.25 255.255.248.0
!
interface Vlan15
ip address 10.33.8.254 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.33.0.254
ip route 10.33.8.0 255.255.255.0 10.33.0.254
interface Vlan1
ip address 10.33.0.25 255.255.248.0
!
interface Vlan15
ip address 10.33.8.254 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.33.0.254
ip route 10.33.8.0 255.255.255.0 10.33.0.254
Not on the switch, but on the router the switch is connected to.
remove ip route 10.33.8.0 255.255.255.0 10.33.0.254 from the switch
What is the switch connected to?
That must be the device with address 10.33.0.254
On that device
insert the route statement ip route 10.33.8.0 255.255.255.0 10.33.0.25
I noticed also that the switch is not the gateway. The router the switch connects to seem to be the gateway for vlan 1
remove ip route 10.33.8.0 255.255.255.0 10.33.0.254 from the switch
What is the switch connected to?
That must be the device with address 10.33.0.254
On that device
insert the route statement ip route 10.33.8.0 255.255.255.0 10.33.0.25
I noticed also that the switch is not the gateway. The router the switch connects to seem to be the gateway for vlan 1
ASKER
Hmmm that's managed by the telco. I don't like working with these people. I'll get it done.
If you have access to the device, then that's the major thing needed for now.
Everything major is complete on the switch.
Remember to assign the switchports the guest PCs will be using to vlan 15
Everything major is complete on the switch.
Remember to assign the switchports the guest PCs will be using to vlan 15
ASKER
that's just it we don't have access. We're off the contract in a couple months though.
I've added the port I'm testing with, so I'll wait on them to work the ticket I just opened and let you know tomorrow.
Thanks
I've added the port I'm testing with, so I'll wait on them to work the ticket I just opened and let you know tomorrow.
Thanks
Ok
All the best
All the best
ASKER