1 2 3 Previous Next 40 Replies Latest reply: Feb 26, 2009 4:50 AM by greylegface RSS

    Beginner help please

    greylegface

       

      Hi,

       

       

       

       

       

      i dont know if this is the right place to ask this but im stuck completly and would appreciate some help please

       

       

       

       

       

      ive set up a 2600 router with a 1900 switch on the left with host A, host B and host C connected, the other side I have two 2950 switches, the first with host D and host E connected and the second with host F and G connected. I have set up the ips etc so they can ping, and ive set up VLANs over the two 2950 switches so that hosts D&F are in VLAN2 and E&G and in VLAN3.

       

       

      what i want to be able to do is deny host A from accessing VLAN2, i think this has somethin to do with access lists and i can create on to deny host A from the right side by creating an access list on the router, but i dont know how to stop if accessing the vlan2, can i create an access liston the switch?

       

       

       

       

       

      any help would be much appreciated, thanks in advance

       

       

        • 1. Re: Beginner help please
          Chris

           

          Hi Grey,

           

           

          You seem to have a clear understanding of what you have to do. If you setup an extended access list on your router you can deny host A access to VLAN 2 subnet address.

           

           

          Not clear on what your intentions are with the second-half of your question?

           

           

          • 2. Re: Beginner help please
            greylegface

             

            all i need to know is how to set up an access list to deny host a access to vlan2, would that be

             

             

             

             

             

            acceess-list 110 deny ip 192.168.28.131 192.168.28.10

             

             

             

             

             

            where the first ip is the host and the second is the ip of the vlan?

             

             

             

             

             

            thanks

             

             

            • 3. Re: Beginner help please
              greylegface

               

              ive added a jpg of my network incase my explanations arent that good!! haha

               

               

               

               

               

              i dont understand what you mean by subnet? ive given the vlan2 an ipaddress using the interface vlan2 throught the switch command, is this enough?

               

               

               

               

               

              thanks again

               

               

              • 4. Re: Beginner help please
                Chris

                 

                Hi Grey,

                 

                 

                Where are your wildcard masks in your access list?

                 

                 

                Are you using a Default SNM or VLSM? Will change your wildcard mask statements

                 

                 

                 

                 

                 

                • 5. Re: Beginner help please
                  Armen

                   

                   

                   

                   

                  Hi Grey,

                   

                   

                  I think the syntax is the following

                   

                   

                   

                   

                   

                  access-list 101 deny ip host (ip add of host A) (subnet number of Vlan2 )(wild card of vlan2)

                   

                   

                  access-list 101 permit any any

                   

                   

                  then you must apply the below syntax to interfaces that are connected to switches on both of them

                   

                   

                  ip access-group 101 out

                   

                   

                  • 6. Re: Beginner help please
                    greylegface

                     

                    thanks guys will give that a try, for the subnet of the vlan, is that just the ip i gave it?

                     

                     

                     

                     

                     

                    thanks again

                     

                     

                    • 7. Re: Beginner help please
                      greylegface

                       

                      erm, dont know what VLSM or SNM are! lol, ive basically picked this program up yesterday and started using it for an assignment i have. so at the moment i have basic network layout with ip adresses, the vlan and thats all really. so im a bit stuck as to the lingo as well! sorry guys!

                       

                       

                       

                       

                       

                      thanks

                       

                       

                      • 8. Re: Beginner help please
                        Armen

                        No, I don't know about your topology.

                        • 9. Re: Beginner help please
                          Chris

                           

                          Hi Grey,

                           

                           

                          What Armen wrote is perfect!

                           

                           

                          SNM = Subnet Mask

                           

                           

                          VLSM = Variable-Length Subnet Mask

                           

                           

                          Also it's always helpful to cut/paste appropriate "show" command output as applicable to what you're trying to accomplish.

                           

                           

                          Thanks and Cheers.

                           

                           

                          • 10. Re: Beginner help please
                            Chris

                             

                            Your original post stated that you are intending to block access to VLAN 2 from Host A. A VLAN is synonomous with Subnet/Broadcast Domain.

                             

                             

                            HTH

                             

                             

                            • 11. Re: Beginner help please
                              greylegface

                               

                              erm, ok, ill try and find some informatiomn about my network, because i dont know what you mean by submask,

                               

                               

                              2600A_Chris#show running-config

                               

                              Building configuration...

                              Current configuration : 625 bytes

                              !

                              version 12.2

                              service timestamps debug uptime

                              service timestamps log uptime

                              no service password-encryption

                               

                              hostname 2600A_Chris

                              !

                               

                              !

                              ip subnet-zero

                               

                              !

                               

                              !

                               

                              interface FastEthernet0/0

                              ip address 192.168.28.1 255.255.255.0

                              no ip directed-broadcast

                              !

                              interface Serial0/0

                              no ip address

                              no ip directed-broadcast

                              shutdown

                               

                              interface FastEthernet0/1

                              ip address 192.168.28.130 255.255.255.128

                              no ip directed-broadcast

                              !

                              interface Serial0/1

                              no ip address

                              no ip directed-broadcast

                              shutdown

                               

                              !

                              ip classless

                              no ip http server

                               

                              !

                               

                              line con 0

                              line aux 0

                              line vty 0 4

                              login

                              !

                              end

                               

                              2600A_Chris#

                              2600A_Chris#

                               

                               

                               

                               

                               

                              thats my router, to which i have a 1950 switcher connected to the F0/1 and two 2950 switches connected to the F0/0

                               

                               

                               

                               

                               

                               

                               

                              VLAN Name Status Ports


                              -


                              -


                              -


                              1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6

                              Fa0/7, Fa0/8, Fa0/9, Fa0/10

                              Fa0/11, Fa0/12

                              2 G-E active Fa0/2

                              3 D-F active Fa0/1

                              1002 fddi-default active

                              1003 token-ring-default active

                              1004 fddinet-default active

                              1005 trnet-default active

                               

                              VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2


                              -


                              -


                              -


                              -


                              -


                              -


                              -


                              -


                              -


                              -


                              1 enet 100001 1500 - - - - - 0 0

                              2 enet 100002 1500 - - - - - 0 0

                              3 enet 100003 1500 - - - - - 0 0

                              1002 fddi 101002 1500 - - - - - 0 0

                              1003 tr 101003 1500 - - - - - 0 0

                              1004 fdnet 101004 1500 - - - ieee - 0 0

                              1005 trnet 101005 1500 - - - ibm - 0 0

                               

                               

                               

                              this is the show VLAN of the 2950A switch, i have set up the two vlans to have two hosts on each

                               

                               

                               

                               

                               

                              2950B_Chris>en

                              2950B_Chris#show vlan

                               

                              VLAN Name Status Ports


                              -


                              -


                              -


                              1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6

                              Fa0/7, Fa0/8, Fa0/9, Fa0/10

                              Fa0/11, Fa0/12

                              2 G-E active Fa0/2

                              3 D-F active Fa0/1

                              1002 fddi-default active

                              1003 token-ring-default active

                              1004 fddinet-default active

                              1005 trnet-default active

                               

                              VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2


                              -


                              -


                              -


                              -


                              -


                              -


                              -


                              -


                              -


                              -


                              1 enet 100001 1500 - - - - - 0 0

                              2 enet 100002 1500 - - - - - 0 0

                              3 enet 100003 1500 - - - - - 0 0

                              1002 fddi 101002 1500 - - - - - 0 0

                              1003 tr 101003 1500 - - - - - 0 0

                              1004 fdnet 101004 1500 - - - ieee - 0 0

                              1005 trnet 101005 1500 - - - ibm - 0 0

                               

                              this is the 2950B switch where i have set the two ports of the hosts to be incuded in the vlans. this works as i can only ping each host on the cennected vlans, so i can onyl ping host G-E and D.

                               

                               

                               

                               

                               

                              this is config of the 2950A switch: -

                               

                               

                               

                               

                               

                              Building configuration...

                              Current configuration : 866 bytes

                              !

                              version 12.1

                              no service pad

                              service timestamps debug uptime

                              service timestamps log uptime

                              no service password-encryption

                               

                              hostname 2950A_Chris

                              !

                               

                              ip subnet-zero

                              !

                               

                              spanning-tree extend system-id

                              !

                               

                              interface FastEthernet0/1

                              switchport access vlan 3

                              !

                              interface FastEthernet0/2

                              switchport access vlan 2

                               

                              interface FastEthernet0/3

                              !

                              interface FastEthernet0/4

                               

                              interface FastEthernet0/5

                              !

                              interface FastEthernet0/6

                               

                              interface FastEthernet0/7

                              !

                              interface FastEthernet0/8

                               

                              interface FastEthernet0/9

                              !

                              interface FastEthernet0/10

                              description "Trunk Link to 2950B_Chris"

                              switchport mode trunk

                              duplex full

                              speed 100

                               

                              interface FastEthernet0/11

                              !

                              interface FastEthernet0/12

                               

                              interface Vlan1

                              ip address 192.168.25.5 255.255.255.0

                              no ip route-cache

                              !

                              interface Vlan2

                              ip address 192.168.28.10 255.255.255.0

                              no ip route-cache

                               

                              interface Vlan3

                              ip address 192.168.28.11 255.255.255.0

                              no ip route-cache

                              !

                              ip default-gateway 192.168.28.1

                              ip http server

                               

                              !

                              line con 0

                              line vty 0 15

                              login

                               

                              end

                               

                               

                               

                              really appreciate the help guys, sorry if im bein a bit thick!! lol....

                               

                               

                               

                               

                               

                              thanks

                               

                               

                              • 12. Re: Beginner help please
                                Chris

                                 

                                Okay, that changes my perspective of your topology completely. Well now since you have multiple VLANs connected to one "physical" interface on your router; you're going to have to use the Router-On-Stick method to create virtual subinterfaces off of F0/0. After you create your subinterfaces and assign IP addresses to them you'll be able to route between your different subnets/VLANs.

                                 

                                 

                                You seem to have more than a beginners knowledge of what you're trying to do. Hence, I'm confused as to how you don't understand what an SNM is as you're using different SNM masks for your subnets?

                                 

                                 

                                See your using Lammle's RouterSim. Is it any good?

                                 

                                 

                                • 13. Re: Beginner help please
                                  greylegface

                                   

                                  we were given a few guides with the program to use, which shown us how to set up the configurations of the switches, hosts, add vlans, etc, up to the point of where i am, so if i have done something on there then its been a complete fluke! lol

                                   

                                   

                                  its kind of hard to explain my situation, as i dont really know much about networking, im more software tbh, but as weve been given this assignment im trying to understand it, i know as much that my vlanshave been set up on the2950A switch andthe 2950B switch is connected through the F0/10 with trunk which allows the vlans to be shared accross the switches?

                                   

                                   

                                  i dont really understand anythig you mentioned on that last reply, sorry, as ive not encountered any of those before, what illdo is keep reading through some books and get back when im able to understand a bit more!!

                                   

                                   

                                  in responce to your question about the package, its easy to use and does what it says on the tin, as i have no prior use of other network simulation software i am unable to conpare it to any other, but i like this one, its easy to use, understand and has a nice interface to get hold of. Ijust wish i knew some more about the networking i was suppose to be doing, but weve all got to start somewhere!! lol

                                   

                                   

                                  thanks again for the help.

                                   

                                   

                                  • 14. Re: Beginner help please
                                    greylegface

                                     

                                    do i have to give my vlans seperate SNM? vlan 1 has 255.255.255.0 and the rest have the same! would vlan2 and 3 have to have different SNM?

                                     

                                     

                                     

                                     

                                     

                                    thanks

                                     

                                     

                                    1 2 3 Previous Next