Accessing a Directly Connected Network

Unanswered Question

Is it possible to exclude a directly connected network on a router from the routing table? In other words; lets suppose that a router has an interface in network X, is it possible to prevent access to network X from any other network without using ACLs? For example, by making network X not routable (removing it from the routing table). Is that practically possible?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Dorrell Mon, 11/05/2007 - 05:23

I am not entirely clear why you would want to do this, but normally you could do it with an access-list.

You could shut down the router interface on that network, but I guess thta is not what you are after.

If you are talking about a layer-3 switch, then simply delete the VLAN interface. That will leave you with the layer-2 still working, but with no routing into or out of it. That is, hosts on the VLAN could still communicate with each other, but not with any other VLAN.

Is it that you want the router just to act as a host on that network? If that is the case, then I cannot thonk of a way of doing it. What I usually do in that case is to find a layer-3 switch on my network that is only operating in layer-2 mode, i.e. with routing disabled, and configure a VLAN interface on that.

Kevin Dorrell


Thanks Kevin, well yes am talking about a layer3 switch that has vlan interfaces configured. The idea is that one of these VLAN interfaces is going to be used to manage the switch (Telnet or SSH). I want to be able to manage the switch from within the same management VLAN while denying management access from any other network. I was wondering if it's possible to do that without using ACLs on the management VLAN interface.

Kevin Dorrell Mon, 11/05/2007 - 05:41

Oh, I see! So you cannot simply delete the layer-3 VLAN interface, 'cos that would zap your management functions as well.

Sorry, apart from the access lists (in this case applied to the vty lines as well as the VLAN interface), I cannot think of a better way to do it. How about anyone else?

Kevin Dorrell



This Discussion