Inter VLAN routing and configuration.

Unanswered Question
Feb 3rd, 2008

I have a topology like this.Five L2 Switchs have the VLAN 1 and VLAN 2...Rquiremet is VLAN 1 and 2 shud be able to access the internet.

VLAN 1 shud Have access to all servers.

VLAN 2 Must have access to only Four servers (SQL,FTP,MAIL,HTTP) except E-Lab server.What could be the configuration in layer 3 switch and also the router 1841.please provide the complete configuration for this topology

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
motokdbr68 Wed, 02/06/2008 - 23:26


Use extended access list denying traffic from vlan 2 subnet to the ip of E-Lab server and permitting all other traffic. Apply this to both the i/fs connecting to switches, in incoming direction.

This should not allow vlan 2 traffic to e-lab server. Traffic to all other destinations should be reachable.

ACL will not effact vlan 1. Both vlans will be able to send traffic to the router and access internet. Also, intervlan communication will take place via L3 switch. Both the vlans interface have to be created on L3 Switch,which will act as g/w for the L2 switches for the respective vlans.


Dhiren Shah

Jon Marshall Thu, 02/07/2008 - 01:39


What vlan are the servers on ?

Where is the inter-vlan routing between vlan 1 & 2 done - is it on the 3560 switch or the 1841 router.

What are the IP address ranges for

vlan 1

vlan 2

server vlan (if different)


motokdbr68 Thu, 02/07/2008 - 02:39


Given below is the sample config.. Try and see if it works.

All the config is to be done on the L3 Switch.

Intervlan routing will take place on L3 switch.

vlan 1:

vlan 2:

E-lab server ip:

interface vlan 1

no shut

ip address

interface vlan 2

no shut

ip address

ACL cmd:

access-list 101 deny ip

access-list 101 permit any

On i/f (f.e. fa0/0, fa0/1):

conf t

int fa0/0

ip access-group 101 in

int fa0/1

ip access-group 101 in

ntmanjunath Thu, 02/07/2008 - 03:06

Thanks I got it

int fa0/0

ip access-group 101 in

int fa0/1

ip access-group 101 in

The above shown Ethernet ports are connected to trunk port? Or it's connected to E-Lab server

motokdbr68 Thu, 02/07/2008 - 03:18


yes, they are trunk ports and not the port connecting to server.


munawar.zeeshan Fri, 02/08/2008 - 01:12

but what about NATing? where and how it will be implemented ?

In the above example the Access list has been implemeted on fa 0 and 1. I think these are L2 interfaces.. can we apply an IP ACL on a L 2 interface ?

motokdbr68 Fri, 02/08/2008 - 01:20


No, ACL cant be implemented on l2 ports.. But, can be implemented on vlan i/f. So, in the config suggested earlier, i/f vlan 2(the concerned vlan for which access to e-lab router is to be restricted) has to be applied with ACL.

munawar.zeeshan Fri, 02/08/2008 - 01:33

and what about NATing? where and how it will be implemented ?

In case of 2 ISPs how it will be implemented to loadbalance the traffic b/w the two links

ntmanjunath Fri, 02/08/2008 - 02:14

OK.I understood.

The incoming traffic is deny from these two interface (f0/0 and f0/1)

The ACL configured L3 switch only

This is new implementation and nating is not configured till now.


This Discussion