How to set up a multi-vlan port

Unanswered Question
Feb 4th, 2007

Hi, I am having problems in setting up a port to join more than 1 vlan using a 2960g router.

Whenever I try to add that one port to another vlan, it disappears from the previous one.

The setup I need requires that a server can visit clients, however each client can only visit the server, communication between clients is forbidden. I created a vlan for each client so that they are separated but I need to add the server port to the client vlan as well.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 02/05/2007 - 00:12

Hi

if you have a layer 3 device you could use access-list to restrict traffic flows between clients and between the clients and the servers.

If you are trying to do this at layer 2 only i think you can still use access-list although you would need to have all your clients and the server in the same vlan.

Attached is layer 2 access-list config guide for 2960 switch

http://www.cisco.com/en/US/products/ps6406/products_configuration_guide_chapter09186a00805a75be.html

HTH

Jon

wilbertchoa Mon, 02/05/2007 - 01:17

From what I read in the document, I seem to be able to only filter inbound access to the whole network and not per client using my existing hardware.

I may occasionally need to let each client access the internet through the server so I'm not sure if I can do that in addition to denying access

Sorry, if i misunderstood, I'm not really very knowledgeable in networking yet.

Looks like I need to use some other switch for what I require.

Jon Marshall Mon, 02/05/2007 - 01:31

Hi

Maybe i misunderstood the requirements. I was thinking you could do the following

access-list 101 permit ip host "client ip address" host "server ip address"

access-list 101 deny ip any any

Then apply access-list 101 to the client interface.

eg

interface "interface id"

ip access-group 101 in

This would allow the client to talk to the server but not to anything else with the vlan.

You could create separate access-lists for each client.

For the server you wouldn't need an access-list.

As mentioned before all clients + server would need to be in same vlan.

Does this not do what you want it to do.

HTH

Jon

Actions

This Discussion