Cisco 887VA VLANS

Hi Predrag,

Thank you for your prompt response - I really appreciate your assistance.

Unfortunately I only have L2 switches downstream (2 x GS724T) so I think this setup will be the best given what you have said.

Secondly, I am very much a n00b when it comes to Cisco and the only experience I had was nearly 10 years ago and I have forgotten most things! Are you able to walk me through the commands required to get this configuration in place?

Also - by having the 4 links exit the router, will IPHelpers still be required? and will inter-vlan communication be possible? Ideally I'd like to have them all separated with the option to open ports between vlans (if you are able to help with that also, I would be extremely grateful).

I just sent up the VLAN configuration - it worked a charm. Thank you so much for that!
The only thing that didn't work was the ip address-helper command. It doesn't appear to recognise this command - am I doing something wrong?

I've not tried the access-lists yet as I want to get one thing working at a time :)

Thanks again

Yes, you do wrong, but that's my fault.
 :)
I gave you wrong command, it should be:
# ip helper-address

Perfect - it worked this time :) Thanks!

I'm going to try the access lists shortly - A few questions before I begin:

What is SVI?

The following:

access-list 100 permit tcp any host 192.168.4.15 eq www
access-list 100 deny   ip any 172.16.0.0 0.15.255.255
access-list 100 deny   ip any 10.0.0.0 0.255.255.255
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any

interface vlan 1
ip access-group 100 in

Select allOpen in new window

Am I right to believe that I can use this same access group for all vlans?
If I add it to VLAN 1 - only VLAN 1 will talk to VLAN 1 but not 2, 3 and 4
and If I add it to VLAN 2 - only VLAN 2 will talk to VLAN 2 but not 1, 3 and 4 etc etc
Or do I need to create a group for each individual VLAN?

Also you mentioned, adding the ports required to the top line - I've attached a spreadsheet of ports for AD - how would I add these? As I noticed you added "eq www" for port 80.

and lastly, I've setup port forwarding for a number of ports for external access (see below for example) - will these continue to function?

ip nat inside source static tcp 192.168.1.x 443 interface Dialer1 443

Select allOpen in new window

Connectivity-Matrix-TEMPLATE.xlsx

What is SVI?

SVI - Switch Virtual Interface (interface VLAN X)

Am I right to believe that I can use this same access group for all vlans?  

Maybe, that depends on what you are trying to accomplish.
That one that I gave you will be OK for all VLANs (since source address is any) as long as there is no special cases...
If there are special cases you can go two paths
- you can create one ACL as general rule for all VLANs and apply it to interface in IN direction, and some specific rules to apply it in OUT direction (# ip access-group 101 out)
-or create ACL specifically for one or more VLANs

you can add port 80 but switch will convert it in config to www
all ports from spreadsheet needs to be permited before denying inter VLAN traffic.

ip nat inside source static tcp 192.168.1.x 443 interface Dialer1 443
is OK
If you will have more port forwarding probably there will be needed suffix extendable at the end of every port forwarding command, but router will warn you about that (and add it itself, if I remember correctly). And since you have 2 DCs I guess you will need it :)

Sorry for the delay in updating! I just wanted to say thank you so much - I managed to get it all set up :)

I will be posting another question around DMZ - I hope to hear from you again :)

Thanks

Fantastic help - Thank you so much!

You are welcome.
:)