cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1415
Views
0
Helpful
12
Replies

Inter VLAN routing and configuration.

ntmanjunath
Level 1
Level 1

I have a topology like this.Five L2 Switchs have the VLAN 1 and VLAN 2...Rquiremet is VLAN 1 and 2 shud be able to access the internet.

VLAN 1 shud Have access to all servers.

VLAN 2 Must have access to only Four servers (SQL,FTP,MAIL,HTTP) except E-Lab server.What could be the configuration in layer 3 switch and also the router 1841.please provide the complete configuration for this topology

12 Replies 12

motokdbr68
Level 1
Level 1

Hi,

Use extended access list denying traffic from vlan 2 subnet to the ip of E-Lab server and permitting all other traffic. Apply this to both the i/fs connecting to switches, in incoming direction.

This should not allow vlan 2 traffic to e-lab server. Traffic to all other destinations should be reachable.

ACL will not effact vlan 1. Both vlans will be able to send traffic to the router and access internet. Also, intervlan communication will take place via L3 switch. Both the vlans interface have to be created on L3 Switch,which will act as g/w for the L2 switches for the respective vlans.

Rgds,

Dhiren Shah

Can you please explain with command for this topology? Any example

Hi

What vlan are the servers on ?

Where is the inter-vlan routing between vlan 1 & 2 done - is it on the 3560 switch or the 1841 router.

What are the IP address ranges for

vlan 1

vlan 2

server vlan (if different)

Jon

Hi,

Given below is the sample config.. Try and see if it works.

All the config is to be done on the L3 Switch.

Intervlan routing will take place on L3 switch.

vlan 1: 192.168.1.0 255.255.255.0

vlan 2: 192.168.2.0 255.255.255.0

E-lab server ip: 192.168.5.1 255.255.255.0

interface vlan 1

no shut

ip address 192.168.1.1 255.255.255.0

interface vlan 2

no shut

ip address 192.168.2.1 255.255.255.0

ACL cmd:

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.5.1 0.0.0.0

access-list 101 permit any

On i/f (f.e. fa0/0, fa0/1):

conf t

int fa0/0

ip access-group 101 in

int fa0/1

ip access-group 101 in

Thanks I got it

int fa0/0

ip access-group 101 in

int fa0/1

ip access-group 101 in

The above shown Ethernet ports are connected to trunk port? Or it's connected to E-Lab server

Hi,

yes, they are trunk ports and not the port connecting to server.

__Dhiren

but what about NATing? where and how it will be implemented ?

In the above example the Access list has been implemeted on fa 0 and 1. I think these are L2 interfaces.. can we apply an IP ACL on a L 2 interface ?

Hi,

No, ACL cant be implemented on l2 ports.. But, can be implemented on vlan i/f. So, in the config suggested earlier, i/f vlan 2(the concerned vlan for which access to e-lab router is to be restricted) has to be applied with ACL.

and what about NATing? where and how it will be implemented ?

In case of 2 ISPs how it will be implemented to loadbalance the traffic b/w the two links

OK.I understood.

The incoming traffic is deny from these two interface (f0/0 and f0/1)

The ACL configured L3 switch only

This is new implementation and nating is not configured till now.

jrjahangir
Level 1
Level 1

Here you not notify your IP address information about your Network.Give proper information then

i Can give your configuration.

Please contact me at: jrjahangir@yahoo.com

You can use any IP for understanding the concept. However I have assigned IP address for all devices. Please provide the configuration.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: