Announcement

Collapse
No announcement yet.

Routing between 2 VLAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Routing between 2 VLAN

    Hi there again,

    I have 2 VLAN on one switch (vlan1 & vlan2). My probelm is that I can connect from vlan1 to vlan2 - how can I disable it (I guess it is some kind of routing that I don't want)?

    Thanks,
    karellen

  • #2
    Re: Routing between 2 VLAN

    You can use ACL's on the L3 interfaces to filter traffic from one vlan to another. You can use protected ports (switchport protected) Protected ports cant talk to one another (doesnt span switches though) If your switch supports private vlans that is another options. Another option is to policy route the traffic from those vlans on a hop by hop basis.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Routing between 2 VLAN

      Switch type? Config?

      In order to go from one vlan to another, something/somewhere is providing a routed connection. Are you trying to disable all traffic between the two VLANs or just certain protocols?

      Comment


      • #4
        Re: Routing between 2 VLAN

        Sorry, but I don't get it.

        I have tried to make Vlan2 a private Vlan. After that Vlan2 was not reachable from Vlan1 (that is exactly what I want), but Vlan2 didn't work anymore - no host inside Vlan2 was reachable from another host in Vlan2. So Vlan2 was 'dead'.

        I have tried to work a little with ACL's but nothing I do has any effect. I have created the ACLs with CNA and command line:
        access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

        Any help would be nice...

        Thanks,
        karellen

        The switches are two stacked 3750G

        Code:
        #show vlan
        
        VLAN Name                             Status    Ports
        ---- -------------------------------- --------- -------------------------------
        1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                        Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi1/0/23
                                                        Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29, Gi1/0/30, Gi1/0/31, Gi1/0/32, Gi1/0/33, Gi1/0/34
                                                        Gi1/0/35, Gi1/0/36, Gi1/0/37, Gi1/0/38, Gi1/0/42, Gi1/0/44, Gi1/0/50, Gi1/0/51, Gi1/0/52, Gi2/0/1, Gi2/0/2
                                                        Gi2/0/3, Gi2/0/4, Gi2/0/5, Gi2/0/6, Gi2/0/7, Gi2/0/8, Gi2/0/9, Gi2/0/10, Gi2/0/11, Gi2/0/12, Gi2/0/13, Gi2/0/14
                                                        Gi2/0/15, Gi2/0/16, Gi2/0/17, Gi2/0/18, Gi2/0/19, Gi2/0/20, Gi2/0/21, Gi2/0/22, Gi2/0/23, Gi2/0/24, Gi2/0/25
                                                        Gi2/0/26, Gi2/0/27, Gi2/0/28, Gi2/0/29, Gi2/0/30, Gi2/0/31, Gi2/0/32, Gi2/0/33, Gi2/0/34, Gi2/0/35, Gi2/0/36
                                                        Gi2/0/37, Gi2/0/38, Gi2/0/39, Gi2/0/40, Gi2/0/42, Gi2/0/44, Gi2/0/48, Gi2/0/49, Gi2/0/50, Gi2/0/51, Gi2/0/52
        2    VoIP                             active    Gi1/0/39, Gi1/0/40
        1002 fddi-default                     act/unsup
        1003 token-ring-default               act/unsup
        1004 fddinet-default                  act/unsup
        1005 trnet-default                    act/unsup
        
        VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
        ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
        1    enet  100001     1500  -      -      -        -    -        0      0
        2    enet  100002     1500  -      -      -        -    -        0      0
        1002 fddi  101002     1500  -      -      -        -    -        0      0
        1003 tr    101003     1500  -      -      -        -    -        0      0
        1004 fdnet 101004     1500  -      -      -        ieee -        0      0
        1005 trnet 101005     1500  -      -      -        ibm  -        0      0
        
        Remote SPAN VLANs
        ------------------------------------------------------------------------------
        
        
        Primary Secondary Type              Ports
        ------- --------- ----------------- ------------------------------------------
        #show access-lists
        Standard IP access list 1
            10 permit 192.168.2.30 (28 matches)
            20 permit 192.168.2.13 (2 matches)
            30 deny   any log
        Extended IP access list 100
            10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
        Last edited by karellen; 26th July 2010, 14:26.

        Comment


        • #5
          Re: Routing between 2 VLAN

          You say you created private vlans. With private vlans you have promiscuous ports (can talk to everyone) community ports (can talk to other ports in that community) and isolated ports (can only talk to promiscuous ports) I cant see the config but you may want to google "private vlans ".

          The acl's should work:

          access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
          access-list 100 permit ip any any

          say 192.168.10.0 is vlan 10

          interface vlan 10
          ip add " "
          ip access-group 100 in (Remember the SVI is a virtual interface. The "in" keyword is any traffic coming from that vlan (in this cast vlan 10 to the other vlan (in this case vlan 2)
          Last edited by auglan; 26th July 2010, 21:06.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Routing between 2 VLAN

            Forget to add teh permit any:



            access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
            access-list 100 permit ip any any
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Routing between 2 VLAN

              Finally got it!

              Code:
              access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
              access-list 100 permit ip any any     
              interface vlan 1
              ip access-group 100 in
              The private Vlan I was talking about was just for testing. After finding out that it didn't worked I deleted it. What you see in my last Post is the configuration without the private Vlan. The thing that was missing when I tried to create the ACL on the CLI was to assign the ACL to the VLan (the last 2 lines from the sample above).

              Many thanks!!!
              karellen

              Comment

              Working...
              X