Vlan question

Unanswered Question

I want to create 4 vlans on 3560.

Here just want to route them to internet and don't want any of them to intract with each other..

Is it possible?

Say vlan2,vlan3,

Vlan4 etc. on switch.

Should I create a routed/trunk port from on switch to router and turn of the ip routing on my switch.default route will be ip address of routed port of switch.

Is it something where If I turn of IP routing it will behave like L2 for all the prots excpet the routed port?

Will all the traffic from different vlans be going through this routed port to internet or not?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Richard Burts Wed, 09/24/2008 - 04:32


It is certainly possible to configure 4 VLANs on the 3560 and to have each of them route to the Internet. You could route them on the switch (with a routed link to the router and with a default route on the switch pointing to the router for Internet access) or you could turn off IP routing on the switch, configure the link from the switch to the router as a trunk, and have the routing done on the router. In this case traffic from each VLAN would go over the trunk to the router interface where the routing would be done.

The other part of your requirement (if I understand correctly) is that each VLAN should have access to the Internet but no access to any of othe other VLANs. You would accomplish this by configuring appropriate access lists. The access lists would be configured on whichever device was doing the routing for the VLANs (it could be the switch or it could be the router).




Do I need to create acl to stop communication among vlans in both the cases?

I configured routed port on switch.Turned on ip routing.created vlans and differnet acl to stop communication among vlans.

Would like to know if I create trunk port b/w switch and router and turn off the ip routing on the switch(switch will behave like L2).VLans should be on switch or router?

Here agian do I need to create acl as well to stop intervlan communication?

What will be config like in this case if it is on switch.

Here is one separate question based on best performance.

Suggest me which one is the best practice to have vlans.Should one have vlans on subinterfaces on router or on your switch.My vlan size can go more than 10 and also need to run dhcp per vlan.Where should I create vlan?



Richard Burts Thu, 09/25/2008 - 04:12


You can do the routing on either the switch or on the router. Where ever you do the routing you will need the access lists. The default in routing is to route traffic between the vlans. If you want to stop traffic between vlans (only allow traffic out to the Internet) then you need to configure access lists to restrict the traffic. This is true whether you are routing on the switch or routing on the router.

It is more common (and perhaps would be best practice) to route the vlans on the switch.

I do not understand your question about where to create the vlans. Your original question was about where to route for the vlans and I understand that. But I do not understand the question about where to create vlans. It seems obvious to me that vlans are created on the switch. Is there some aspect of your question that I am not understanding?



u0087672js Wed, 09/24/2008 - 10:19

Add a default route pointing to your gateway. That should get them to the Internet. Create 4 seperate VLANs with no intervlan routing so they will not communicate with each other.

once you create SVI (vlan interface) on the switch for the Vlan, and host using them as their gateway, inter vlan routing will occur.

what i can think of now is to apply access-list on each vlan interface to deny traffic from the vlan subnet from going to the 3 other vlan subnets.

e.g for vlan 2

access-list 100 deny ip

access-list 100 deny ip


access-list 100 permit ip

and apply it

int vlan2

access-group 100 in

do this for the other three vlan interfaces.


This Discussion