inter vlan configure in 3650 switch

Unanswered Question
Oct 22nd, 2008

how i can configure like this type of vlan communication...

vlan10 communicate only vlan20 ,vla30,vlan40,vlan50 but vlan 20,vlan30,vlan40,vlan 50 not communicate each other .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
itdsmartnet Wed, 10/22/2008 - 23:25

hi,

you can achieve this by configuring ACLs and applied that ACL's to the interface VLAN.

Thanks

arupbiet2006 Wed, 10/22/2008 - 23:31

hi sir,

already i had configure access list vlan10 access vlan20(ip),vlan30(ip).vlan40(ip) ,vlan50(ip)...but still it not working and also not access internet by indivisual vlan..

kindly help me how i can do this task

arupbiet2006 Thu, 10/23/2008 - 00:23

interface FastEthernet0/10

switchport access vlan 10

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/11

switchport access vlan 20

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/12

switchport access vlan 20

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/13

switchport access vlan 20

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

interface Vlan10

ip address 192.168.10.1 255.255.255.0

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

!

interface Vlan30

description soc vlan

ip address 192.168.30.1 255.255.255.0

!

itdsmartnet Thu, 10/23/2008 - 00:37

hi,

you have to apply access-list to the interface VLAN. you should to to global configuration mode then to interface vlan 10 then apply access list there e.g

Interface vlan 10

ip access-group

interface vlan 20

ip access-group

you have to apply to it to the SVI interface.

rate if helpful

Thanks

tcordier Thu, 10/23/2008 - 04:04

Your config is not correct, you may want to check a site like http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml.

Your entry on VLAN 10 (ip access-group 101 in) actually means that you allow all traffic from 192.168.10.0 to 192.168.10/20/30.0 into VLAN 10. Since this interface will never receive traffic from 192.168.10.0 since this is the subnet of VLAN 10, the statement has no effect.

You need a single entry on each VLAN interface except Vlan 10:

interface Vlan20/30/40/50

ip address 192.168.xx.1 255.255.255.0

ip access-group 101 out

access-list 101 permit ip any 192.168.10.0 0.0.0.255

This means only traffic to 192.168.10.0/24 can leave VLAN20. All other traffic is denied (implicit deny at the end of the ACL).

You do not need an ACL on VLAN 10 as VLAN can send and receive to all other VLANs.

HTH, Thomas

bineshpsm Thu, 10/23/2008 - 14:51

I think here, we can use the concept of Private vlans.. Vlan 10 interface ports should be Promiscous mode and all the other vlan ports should be isolated vlans

tcordier Thu, 10/23/2008 - 21:43

I agree that it is possible, but it would have the following consequences:

- all VLANs must be reconfigured: VLAN 10 as primary VLAN, and the other VLANs as secondary VLANs

- all hosts in the new Private VLAN configuration will share the same IP subnet

- all hosts in the new Private VLAN configuration will be able to communicate with each other at L3. Private VLANs only provide Layer 2 traffic separation.

We would need to understand in more details what is needed here to make a choice.

Regards, Thomas

Actions

This Discussion