Control VLAN routing on a multi layer switch

Unanswered Question
May 3rd, 2007

In a scenario where I have a layer three switch configured with 50 VLANS and want to enable layer 3 switching/routing between only 5 VLANS. When I enable ip routing on the switch I enable routing between all VLANS, I don't want to administer multiple ACLS to restrict access, is there another way to stop traffic routing between specific VLANS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anand S Thu, 05/03/2007 - 02:52

NO, ACL is the only way to block the different for specific vlan. if you want complete traffic to be blocked with all vlan's, don't enable ip routing, for specific vlan, you need to hav ACL.

hope this helps.

rate this post if satisfied.

bjornarsb Thu, 05/03/2007 - 03:11


How about enabling Multiprotocol Label Switching on your layer 3 switch

Then you can get separate routing instance

for groups of your vlans by putting them in separate vrfs.

For more detailed information about configuring Multiprotocol Label Switching

have a look at this link:



glen.grant Thu, 05/03/2007 - 03:32

I think you need to be more specific , do you have 50 layer 2 vlans or 50 layer 3 vlans currently . If they are layer 2 vlans then only create the layer 3 SVI's for the 5 you want to route between . If you already have 50 layer 3 SVI's defined then ACL's are your only option.

paulo.s Thu, 05/03/2007 - 07:48

Hi. If you create interface just only this 5 vlans, and don't create for the others 45 vlans, I think your problem it's solved.

Hope I help you.

Paulo Maur?cio

Jon Marshall Thu, 05/03/2007 - 11:20

Hi Peter

As other have said it's all down to whether or not you have created a Layer 3 interface on the switch.

If you create 50 vlans on the switch so that when you do a "show vlan" you see all 50 then these are layer 2 vlans only. You can enable ip routing and still there will be no routing between these vlans because they are only layer 2.

To route between vlans you need to create layer 3 interfaces for your vlans. eg.

You have a layer 2 vlan - vlan 20. To create a layer 3 interface (SV1) for it you would use the following commands

interface vlan 20

ip address x.x.x.x "subnet mask"

no shut

A "show ip interface brief" on the switch will show you which vlan interfaces you have created.

Only those vlans with L3 interfaces will be able to talk to each other. No layer 3 interface and clients within that vlan can only talk to clients within the same vlan.

Hope this makes sense



This Discussion