inter-Vlan routing on a Cisco 3550

Discussion in 'Cisco' started by RJH, Jul 25, 2006.

  1. RJH

    RJH

    Joined:
    Jul 25, 2006
    Messages:
    1
    Location:
    Wichita, KS
    Setting up inter-Vlan routing on a Cisco 3550

    I have two separate networks running on separate Vlans on my Cisco 3550. Is it possible to allow “limited” traffic between the two different networks while still maintaining a secure environment?

    We have Vlan 601 which is the Public Access network. There is a VPN firewall attached to Fa0/24 going to Cox internet (10.22.138.1 – internal) with 4 to 6 pc’s connected to this Vlan.

    Vlan 602 is our private network and connected to Fa0/1 is a Cisco 2509 (10.11.6138.1) which provides the “private” network to the staff.

    We are installing PC Timing & Print management software and need to provide a way for the Public Access PC’s on Vlan 601 to communicate with the Management console/Print release station, located on Vlan 602. The software vendor says that we just need to open TCP/UDP ports 1969/1970 and TCP ports 6987 & 7383 so that the Client can talk to the Management Console and vise-versa.

    The only way I have been successful in getting the two networks to talk was to set the PC’s on both networks with a Gateway address that matched the addresses assigned to the Vlans (ie – 10.22.138.250 & 10.11.138.250). This however, caused the PC’s on both networks to not be able to get to other resources because they now didn’t have a default gateway that matched the addresses in the Firewall on the Public side and the Router on the Private side.

    I need a way for the two networks to communicate in a restricted way –

    Here is my current config -

    Ver 12.1
    !
    hostname Rockwell
    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    interface FastEthernet0/1
    switchport access vlan 602
    switchport mode access
    no ip address
    !
    interface FastEthernet0/2
    switchport access vlan 602
    switchport mode access
    no ip address

    . . . . . . . . (more)

    interface FastEthernet0/23
    switchport access vlan 601
    switchport mode access
    no ip address
    !
    interface FastEthernet0/24
    switchport access vlan 601
    switchport mode access
    no ip address
    !
    interface GigabitEthernet0/1
    no ip address
    !
    interface GigabitEthernet0/2
    no ip address
    !
    interface Vlan601
    ip address 10.22.138.250 255.255.255.0
    ip access-group 110 in
    !
    interface Vlan602
    ip address 10.11.138.250 255.255.255.0
    !
    ip default-gateway 10.11.138.1
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.11.138.1
    ip http server
    !
    ip access-list extended CMP-NAT-ACL
    dynamic Cluster-HSRP deny ip any any
    dynamic Cluster-NAT permit ip any any
    !
    ip classless
    logging 10.11.254.16
    !
    access-list 110 permit icmp 10.22.138.0 0.0.0.255 any
    access-list 110 permit tcp 10.22.138.0 0.0.0.255 host 10.11.138.x eq 1969
    access-list 110 permit udp 10.22.138.0 0.0.0.255 host 10.11.138.x eq 1969
    access-list 110 permit tcp 10.22.138.0 0.0.0.255 host 10.11.138.x eq 1970
    access-list 110 permit tcp 10.22.138.0 0.0.0.255 host 10.11.138.x eq 6987
    access-list 110 permit tcp 10.22.138.0 0.0.0.255 host 10.11.138.x eq 7383
    access-list 110 deny ip 10.22.138.0 0.0.0.255 10.11.138.0 0.0.0.255
    access-list 110 permit ip 10.22.138.0 0.0.0.255 any


    But still be able to access the resources that are principal to each network.

    So Internet traffic on Vlan601 needs to go out through the VPN Firewall on Vlan601 while Internet / Intranet / Email traffic on Vlan602 needs to stay on Vlan602 and still allow the PC Timing and Print Mgmt software to talk between the two Vlan’s.

    Anyone have any ideas?
     
    RJH, Jul 25, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. SmilerNet

    Inter-VLAN Routing Cisco 3550 SMI

    SmilerNet, Sep 26, 2004, in forum: Cisco
    Replies:
    7
    Views:
    3,474
    Sam Wilson
    Oct 1, 2004
  2. hal@nospam.com

    Inter vlan routing in Cisco 4507

    hal@nospam.com, Aug 18, 2005, in forum: Cisco
    Replies:
    1
    Views:
    2,363
    www.BradReese.Com
    Aug 18, 2005
  3. WabukiSensei
    Replies:
    4
    Views:
    50,054
    WabukiSensei
    Dec 6, 2006
  4. saiya

    Inter VLAN - 2950 with 3550

    saiya, Jul 19, 2007, in forum: Cisco
    Replies:
    0
    Views:
    470
    saiya
    Jul 19, 2007
  5. JohnD
    Replies:
    3
    Views:
    4,282
    stephen
    Dec 18, 2007
Loading...

Share This Page