Client on VLAN 1 can ping and access Client on VLAN 2

Unanswered Question
Jun 7th, 2007

All, How come client with Config:

interface FastEthernet1/0/9

description END NODES ONLY

switchport access vlan 300

switchport voice vlan 246

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast

can ping and access server with config:

interface GigabitEthernet4/0/21

description PLT3-SAN1

switchport access vlan 233

switchport mode access

spanning-tree portfast

How do I prevent that?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 06/07/2007 - 07:25


You have given information about the 2 specific ports but not about the switch or how the VLANs are configured. From what you gave it appears to be a chassis based switch. Many of these switches are capable of layer 3 operation. Is this configured as a layer 3 switch which provides inter VLAN routing? Or do VLANs 300 and 233 connect to a router that is providing inter VLAN routing?

From the fact that the client can access the server there must be something providing layer 3 services and routing. If you want to prevent the client from accessing the server the most drastic solution would be to eliminate layer 3 processing and inter VLAN routing. But that would mean that everything was isolated and you probably do not want that. So a more reasonable solution would be at the layer 3 device providing inter VLAN routing to do some filtering to prevent the client from accessing the server.

I am a bit puzzled why you do not want the client to access the server. Most of the time the reason that we build networks is so that clients can access servers. Perhaps you can clarify your environment and your requirements? This would help us to give you better answers.



rwamstutz Thu, 06/07/2007 - 10:59

rick, thank you for your reponse. We are using 3750 so layer 3 is in full effect. I guess the reason why I want to prevent the client access to the Server is becauset the server is a SAN and the SAN is on a seperate VLAN that only ISCSI is traveling. I guess I would prefer not to allow clients to see this device.

Jon Marshall Thu, 06/07/2007 - 11:04


If you want to preevent client traffic accessing the SAN then you could use an outbound access-list on the SAN vlan interface to deny any traffic from the client vlan.



Richard Burts Thu, 06/07/2007 - 11:23


If layer 3 routing is in place then that explains why the client can contact the server. Jon is right that if you want to prevent client(s) from accessing the SAN that you need to do some filtering. It could work as Jon suggests with an outbound filter on the interface to the SAN or it could work with an inbound filter on the interface of the client.




This Discussion