Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
9
Helpful
6
Replies

Vlan question

sushil
Level 1
Level 1

‎09-24-2008 04:18 AM - edited ‎03-03-2019 11:40 PM

I want to create 4 vlans on 3560.

Here just want to route them to internet and don't want any of them to intract with each other..

Is it possible?

Say vlan2 192.168.10.1,vlan3 192.168.11.1,

Vlan4 192.168.12.1 etc. on switch.

Should I create a routed/trunk port from on switch to router and turn of the ip routing on my switch.default route will be ip address of routed port of switch.

Is it something where If I turn of IP routing it will behave like L2 for all the prots excpet the routed port?

Will all the traffic from different vlans be going through this routed port to internet or not?

Reg,

Sushil

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎09-24-2008 04:32 AM

Sushil

It is certainly possible to configure 4 VLANs on the 3560 and to have each of them route to the Internet. You could route them on the switch (with a routed link to the router and with a default route on the switch pointing to the router for Internet access) or you could turn off IP routing on the switch, configure the link from the switch to the router as a trunk, and have the routing done on the router. In this case traffic from each VLAN would go over the trunk to the router interface where the routing would be done.

The other part of your requirement (if I understand correctly) is that each VLAN should have access to the Internet but no access to any of othe other VLANs. You would accomplish this by configuring appropriate access lists. The access lists would be configured on whichever device was doing the routing for the VLANs (it could be the switch or it could be the router).

HTH

Rick

HTH

Rick
0 Helpful

sushil
Level 1
Level 1
In response to Richard Burts

‎09-24-2008 08:54 PM

Rick,

Do I need to create acl to stop communication among vlans in both the cases?

I configured routed port on switch.Turned on ip routing.created vlans and differnet acl to stop communication among vlans.

Would like to know if I create trunk port b/w switch and router and turn off the ip routing on the switch(switch will behave like L2).VLans should be on switch or router?

Here agian do I need to create acl as well to stop intervlan communication?

What will be config like in this case if it is on switch.

Here is one separate question based on best performance.

Suggest me which one is the best practice to have vlans.Should one have vlans on subinterfaces on router or on your switch.My vlan size can go more than 10 and also need to run dhcp per vlan.Where should I create vlan?

Reg,

Sushil

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sushil

‎09-25-2008 04:12 AM

Sushil

You can do the routing on either the switch or on the router. Where ever you do the routing you will need the access lists. The default in routing is to route traffic between the vlans. If you want to stop traffic between vlans (only allow traffic out to the Internet) then you need to configure access lists to restrict the traffic. This is true whether you are routing on the switch or routing on the router.

It is more common (and perhaps would be best practice) to route the vlans on the switch.

I do not understand your question about where to create the vlans. Your original question was about where to route for the vlans and I understand that. But I do not understand the question about where to create vlans. It seems obvious to me that vlans are created on the switch. Is there some aspect of your question that I am not understanding?

HTH

Rick

HTH

Rick

sushil
Level 1
Level 1
In response to Richard Burts

‎09-25-2008 04:33 AM

Thanks Rick for the info.I got it.I was asking about best practice about vlans creation.As we can create it on the router/firewall on subinterfaces as well.

Got the confusion I had.Thanks for your reply.

Reg,

Sushil

0 Helpful

u0087672js
Level 1
Level 1

‎09-24-2008 10:19 AM

Add a default route pointing to your gateway. That should get them to the Internet. Create 4 seperate VLANs with no intervlan routing so they will not communicate with each other.

0 Helpful

akin_lopez
Level 1
Level 1

‎09-25-2008 01:33 AM

once you create SVI (vlan interface) on the switch for the Vlan, and host using them as their gateway, inter vlan routing will occur.

what i can think of now is to apply access-list on each vlan interface to deny traffic from the vlan subnet from going to the 3 other vlan subnets.

e.g for vlan 2

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

etc.

access-list 100 permit ip 192.168.10.0 0.0.0.255 0.0.0.0 255.255.255.255

and apply it

int vlan2

access-group 100 in

do this for the other three vlan interfaces.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card