06-07-2007 07:16 AM - edited 03-05-2019 04:33 PM
All, How come client with Config:
interface FastEthernet1/0/9
description END NODES ONLY
switchport access vlan 300
switchport voice vlan 246
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
can ping and access server with config:
interface GigabitEthernet4/0/21
description PLT3-SAN1
switchport access vlan 233
switchport mode access
spanning-tree portfast
How do I prevent that?
06-07-2007 07:25 AM
Rob
You have given information about the 2 specific ports but not about the switch or how the VLANs are configured. From what you gave it appears to be a chassis based switch. Many of these switches are capable of layer 3 operation. Is this configured as a layer 3 switch which provides inter VLAN routing? Or do VLANs 300 and 233 connect to a router that is providing inter VLAN routing?
From the fact that the client can access the server there must be something providing layer 3 services and routing. If you want to prevent the client from accessing the server the most drastic solution would be to eliminate layer 3 processing and inter VLAN routing. But that would mean that everything was isolated and you probably do not want that. So a more reasonable solution would be at the layer 3 device providing inter VLAN routing to do some filtering to prevent the client from accessing the server.
I am a bit puzzled why you do not want the client to access the server. Most of the time the reason that we build networks is so that clients can access servers. Perhaps you can clarify your environment and your requirements? This would help us to give you better answers.
HTH
Rick
06-07-2007 10:59 AM
rick, thank you for your reponse. We are using 3750 so layer 3 is in full effect. I guess the reason why I want to prevent the client access to the Server is becauset the server is a SAN and the SAN is on a seperate VLAN that only ISCSI is traveling. I guess I would prefer not to allow clients to see this device.
06-07-2007 11:04 AM
Hi
If you want to preevent client traffic accessing the SAN then you could use an outbound access-list on the SAN vlan interface to deny any traffic from the client vlan.
HTH
Jon
06-07-2007 11:23 AM
Rob
If layer 3 routing is in place then that explains why the client can contact the server. Jon is right that if you want to prevent client(s) from accessing the SAN that you need to do some filtering. It could work as Jon suggests with an outbound filter on the interface to the SAN or it could work with an inbound filter on the interface of the client.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: