Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
4
Replies

Client on VLAN 1 can ping and access Client on VLAN 2

rwamstutz
Level 1
Level 1

‎06-07-2007 07:16 AM - edited ‎03-05-2019 04:33 PM

All, How come client with Config:

interface FastEthernet1/0/9

description END NODES ONLY

switchport access vlan 300

switchport voice vlan 246

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast

can ping and access server with config:

interface GigabitEthernet4/0/21

description PLT3-SAN1

switchport access vlan 233

switchport mode access

spanning-tree portfast

How do I prevent that?

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎06-07-2007 07:25 AM

Rob

You have given information about the 2 specific ports but not about the switch or how the VLANs are configured. From what you gave it appears to be a chassis based switch. Many of these switches are capable of layer 3 operation. Is this configured as a layer 3 switch which provides inter VLAN routing? Or do VLANs 300 and 233 connect to a router that is providing inter VLAN routing?

From the fact that the client can access the server there must be something providing layer 3 services and routing. If you want to prevent the client from accessing the server the most drastic solution would be to eliminate layer 3 processing and inter VLAN routing. But that would mean that everything was isolated and you probably do not want that. So a more reasonable solution would be at the layer 3 device providing inter VLAN routing to do some filtering to prevent the client from accessing the server.

I am a bit puzzled why you do not want the client to access the server. Most of the time the reason that we build networks is so that clients can access servers. Perhaps you can clarify your environment and your requirements? This would help us to give you better answers.

HTH

Rick

HTH

Rick
0 Helpful

rwamstutz
Level 1
Level 1
In response to Richard Burts

‎06-07-2007 10:59 AM

rick, thank you for your reponse. We are using 3750 so layer 3 is in full effect. I guess the reason why I want to prevent the client access to the Server is becauset the server is a SAN and the SAN is on a seperate VLAN that only ISCSI is traveling. I guess I would prefer not to allow clients to see this device.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to rwamstutz

‎06-07-2007 11:04 AM

Hi

If you want to preevent client traffic accessing the SAN then you could use an outbound access-list on the SAN vlan interface to deny any traffic from the client vlan.

HTH

Jon

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎06-07-2007 11:23 AM

Rob

If layer 3 routing is in place then that explains why the client can contact the server. Jon is right that if you want to prevent client(s) from accessing the SAN that you need to do some filtering. It could work as Jon suggests with an outbound filter on the interface to the SAN or it could work with an inbound filter on the interface of the client.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card