How to Create an Inter-only VLAN on a Router?
VLAN (Virtual Local Area Networks) allow network switches to separate traffic based on a
logical identifier, known as a VLAN ID. When used in conjunction with a router that
supports sub- interfaces, a VLAN can be create that only allows users to access the
Internet and no other resources on the network. The router can be configured to
differentiate among devices connected on the Internet-only and other traffic arriving on
the same physical connections, using access lists and routing tables to prevent the
former from communicating with the latter
What you need to create an internet only VLAN on a router
Network router that supports IEEE 802.1Q or ISL VLAN encapsulation
PC with the ability to connect to the router
Console cable (if Telnet or Web configuration is not available)
How to Create an Internet Only VLAN on a Router? Follow the steps…
1. Plan your network. You will need two separate, non-overlapping Internet Protocol (IP)
address spaces for each network. The most common private address space is
192.168.y.x, with a subnet mask of 255.255.255.0 (where “Y” is a static number from 1 to
254 and X is the number that will be assigned to each individual host).
2. Connect to your router. On a Cisco router, this will either involve a telnet session to its
administrative IP address or a direct connection from the serial port on your PC to the
console port on the router. Other, consumer-level routers might use a Web interface that
you access by typing its administrative IP into a Web browser. Check with the
manufacturer for specific instructions on accessing their configuration interface.
3. Configure virtual sub-interfaces on the physical port connecting from the switch to the
router. On a Cisco router, you will do this by entering the configuration mode for the
interface (e.g.: “int ethernet0″) and then entering the sub-interface by typing “int [interface
name][interface number].[vlan id]” (e.g. “int e0.1″).
4. Enable DOT1Q or ISL VLAN encapsulation on all sub-interfaces, giving each one a
separate VLAN identification number (a number between 1 and 4094). On Cisco routers,
this command is issued in the sub-interface configuration mode and is formatted as
“encapsulation [DOT1Q or ISL] [VLAN ID]” (e.g.: “encapsulation dot1q 10″ for vlan “10″).
Issue this command separately for each sub-interface.
5. Assign all sub-interfaces a gateway address within their respective network. The
gateway IP address is commonly the first or last host number of the network (e.g.:
192.168.2.x network would have an interface of 192.168.2.1 or 192.168.2.254). On a
Cisco router, this command would be (in sub-interface configuration mode) “ip address
[address] [subnet mask]” (e.g.: ip address 192.168.2.1 255.255.255.0)
6. Configure routing tables for each VLAN network. Ensure that the Internet-only VLAN
has a default route (0.0.0.0) that points to the port in the router connected to the internet.
In a Cisco router, you issue this command in global configuration mode by typing “ip
route 0.0.0.0 0.0.0.0 [interface or IP address of next 'hop']“
7. Create a Access Control List (ACL) that will deny traffic from any member of the
Internet-only network from accessing other networks. Access control lists can be tricky,
but the individual command looks in Cisco routers like “access-list [ACL Number] deny
[Internet-only network address] [Internet-only wildcard mask] [other network address]
[other network wildcard mask] (e.g.: access-list 10 deny 192.168.2.0 0.0.0.255
8. Apply the access list to the Internet-only sub-interface. In Cisco routers, you can do
this by going into the interface configuration mode and issuing the command “access-
group [ACL number/name] [in/out].”
Tips & Warnings
With all the different VLAN numbers and address, it is good to develop a system for
consistency. Consider making the network number and VLAN ID the same, tying VLAN 2,
for example, to the network 192.168.*2*.0. This way, you’ll know that hosts with a
192.168.2.x address are members of VLAN 2.
With Cisco routers, you can add comments to the sub-interface by issuing the
“description [text]” or “remark [remark]” commands. This way, when you or another
person has to work with the router configuration, they can get a clear description of what
the sub-interface was designed to achieve (e.g. “description: This is the Internet-only
Cisco routers are some of the most common in the U.S.; however, many manufacturers
provide access to these same configuration options through Web interfaces with pull-
down menus and text boxes. Check with the manufacturer of you router to verify the best
way to issue these commands.
Make sure that the port connecting the switch to the router is set as a VLAN trunk. If the
port on the switch is not a trunk, it won’t forward any data frames from VLANs outside of
the one to which are it assigned.
—Original resource from
3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale
original new Cisco networking equipments, including Cisco Catalyst switches, Cisco
routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards
products at competitive price and ship to worldwide.
Our website: http://www.3anetwork.com
Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong