02-04-2007 10:44 PM - edited 03-05-2019 02:09 PM
Hi, I am having problems in setting up a port to join more than 1 vlan using a 2960g router.
Whenever I try to add that one port to another vlan, it disappears from the previous one.
The setup I need requires that a server can visit clients, however each client can only visit the server, communication between clients is forbidden. I created a vlan for each client so that they are separated but I need to add the server port to the client vlan as well.
02-04-2007 11:45 PM
This would perhaps be possible using the private vlan feature. Unfortunately for you, this is not supported on the 2960:
Regards,
Leo
02-05-2007 12:12 AM
Hi
if you have a layer 3 device you could use access-list to restrict traffic flows between clients and between the clients and the servers.
If you are trying to do this at layer 2 only i think you can still use access-list although you would need to have all your clients and the server in the same vlan.
Attached is layer 2 access-list config guide for 2960 switch
http://www.cisco.com/en/US/products/ps6406/products_configuration_guide_chapter09186a00805a75be.html
HTH
Jon
02-05-2007 01:17 AM
From what I read in the document, I seem to be able to only filter inbound access to the whole network and not per client using my existing hardware.
I may occasionally need to let each client access the internet through the server so I'm not sure if I can do that in addition to denying access
Sorry, if i misunderstood, I'm not really very knowledgeable in networking yet.
Looks like I need to use some other switch for what I require.
02-05-2007 01:31 AM
Hi
Maybe i misunderstood the requirements. I was thinking you could do the following
access-list 101 permit ip host "client ip address" host "server ip address"
access-list 101 deny ip any any
Then apply access-list 101 to the client interface.
eg
interface "interface id"
ip access-group 101 in
This would allow the client to talk to the server but not to anything else with the vlan.
You could create separate access-lists for each client.
For the server you wouldn't need an access-list.
As mentioned before all clients + server would need to be in same vlan.
Does this not do what you want it to do.
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: