How to Create an Inter-only VLAN on a Router?

2023 SEASON SALE Networking and Security Showcase In-stock ICT products at exclusive discounts

VLAN (Virtual Local Area Networks) allow network switches to separate traffic based on a logical identifier, known as a VLAN ID. When used in conjunction with a router that supports sub- interfaces, a VLAN can be create that only allows users to access the Internet and no other resources on the network. The router can be configured to differentiate among devices connected on the Internet-only and other traffic arriving on the same physical connections, using access lists and routing tables to prevent the former from communicating with the latter
Create an Inter-only VLAN on a Router

What you need to create an internet only VLAN on a router

  • Network router that supports IEEE 802.1Q or ISL VLAN encapsulation
  • PC with the ability to connect to the router
  • Console cable (if Telnet or Web configuration is not available)

How to Create an Internet Only VLAN on a Router? Follow the steps…

1. Plan your network. You will need two separate, non-overlapping Internet Protocol (IP) address spaces for each network. The most common private address space is 192.168.y.x, with a subnet mask of 255.255.255.0 (where “Y” is a static number from 1 to 254 and X is the number that will be assigned to each individual host).

2. Connect to your router. On a Cisco router, this will either involve a telnet session to its administrative IP address or a direct connection from the serial port on your PC to the console port on the router. Other, consumer-level routers might use a Web interface that you access by typing its administrative IP into a Web browser. Check with the manufacturer for specific instructions on accessing their configuration interface.

3. Configure virtual sub-interfaces on the physical port connecting from the switch to the router. On a Cisco router, you will do this by entering the configuration mode for the interface (e.g.: “int ethernet0”) and then entering the sub-interface by typing “int [interface name][interface number].[vlan id]” (e.g. “int e0.1”).

4. Enable DOT1Q or ISL VLAN encapsulation on all sub-interfaces, giving each one a separate VLAN identification number (a number between 1 and 4094). On Cisco routers, this command is issued in the sub-interface configuration mode and is formatted as “encapsulation [DOT1Q or ISL] [VLAN ID]” (e.g.: “encapsulation dot1q 10” for vlan “10”). Issue this command separately for each sub-interface.

5. Assign all sub-interfaces a gateway address within their respective network. The gateway IP address is commonly the first or last host number of the network (e.g.: 192.168.2.x network would have an interface of 192.168.2.1 or 192.168.2.254). On a Cisco router, this command would be (in sub-interface configuration mode) “ip address [address] [subnet mask]” (e.g.: ip address 192.168.2.1 255.255.255.0)

6. Configure routing tables for each VLAN network. Ensure that the Internet-only VLAN has a default route (0.0.0.0) that points to the port in the router connected to the internet. In a Cisco router, you issue this command in global configuration mode by typing “ip route 0.0.0.0 0.0.0.0 [interface or IP address of next ‘hop’]”

7. Create a Access Control List (ACL) that will deny traffic from any member of the Internet-only network from accessing other networks. Access control lists can be tricky, but the individual command looks in Cisco routers like “access-list [ACL Number] deny [Internet-only network address] [Internet-only wildcard mask] [other network address] [other network wildcard mask] (e.g.: access-list 10 deny 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255).”

8. Apply the access list to the Internet-only sub-interface. In Cisco routers, you can do this by going into the interface configuration mode and issuing the command “access-group [ACL number/name] [in/out].”

 

Tips & Warnings

With all the different VLAN numbers and address, it is good to develop a system for consistency. Consider making the network number and VLAN ID the same, tying VLAN 2, for example, to the network 192.168.*2*.0. This way, you’ll know that hosts with a 192.168.2.x address are members of VLAN 2.

With Cisco routers, you can add comments to the sub-interface by issuing the “description [text]” or “remark [remark]” commands. This way, when you or another person has to work with the router configuration, they can get a clear description of what the sub-interface was designed to achieve (e.g. “description: This is the Internet-only VLAN”)

Cisco routers are some of the most common in the U.S.; however, many manufacturers provide access to these same configuration options through Web interfaces with pull-down menus and text boxes. Check with the manufacturer of you router to verify the best way to issue these commands.

Make sure that the port connecting the switch to the router is set as a VLAN trunk. If the port on the switch is not a trunk, it won’t forward any data frames from VLANs outside of the one to which are it assigned.

—Original resource from eHow

 

Reference from Cisco’s:

Creating an IP Access List and Applying It to an Interface

Configuring a Gateway of Last Resort Using IP Commands

 

More Related Cisco Network Info:

Simple Steps to Create a Non-Routed VLAN on Cisco Switch

LAN and VLAN on a Cisco Switch

Share This Post

Post Comment