VLAN communication

Unanswered Question
Feb 24th, 2009

If I utilize vlans, all ports are by default a member of vlan 1 correct? So all devices in the same subnet, connected to a un-configured port should be able to ping each other because they are all part of vlan 1, sound right?

How about the following scenarios:

interface FastEthernet1/0/40

switchport trunk encapsulation dot1q

switchport trunk native vlan 4

switchport mode access

switchport voice vlan 70

spanning-tree portfast

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
Giuseppe Larosa Tue, 02/24/2009 - 13:17

Hello Richard,

the port is still in vlan 1:

the command that decides the port behavior is:

switchport mode access

so this is a port with data vlan 1 and voice vlan 70.

the commands

switchport trunk encapsulation dot1q

switchport trunk native vlan 4

are not effective because the switchport mode is access.

if the mode is changed to trunk these commands are applied.

you can verify the effective settings with

sh int f0/0 switchport

Hope to help

Giuseppe

oneirishpollack Wed, 02/25/2009 - 07:46

So 10.4.4.34/24 and 192.168.2.14/24 are on two different networks. Using VLANs they can communicate if they are on the same VLAN despite the fact that they are on two different networks. Is this correct?

If it is, does VLAN assignment act as routing "control"? Network A can access Network B if they are on the same VLAN?

I have a layer 3 switch, but I cannot really see where the routing control is done for the VLANs. I mean on a router you would have an ACL to block networks or hosts, on an intranet using VLANs where would you allow or disallow inter-VLAN communication.

Ex.

I have 3 VLANS 2,3,4

I want hosts in VLAN 4 to be able to communicate with hosts in VLAN 2, and I want hosts in VLAN 3 to communicate with hosts in VLAN 2, but I never want VLAN 3 hosts to communicate (see VLAN 4 traffic) with VLAN 4.

I am sure there is some fundamental understanding I have completely missed, so pardon the ignorance, but please help me understand vlan routing.

oneirishpollack Wed, 02/25/2009 - 07:50

Update:

I can see where the layer 3 switch knows the VLAN assignments and the related subnets, but can I incorporate ACLs to block traffic from one VLAN to another.

oneirishpollack Wed, 02/25/2009 - 08:45

Update:

Ok...I see an entry like this:

ip access-list extended student

deny ip 10.4.30.0 0.0.0.255 10.4.4.0 0.0.0.255

deny ip 10.4.30.0 0.0.0.255 10.4.70.0 0.0.0.255

permit ip any any

So I can see now that once you have defined your vlans related subnets on the layer 3 switch, you add ACEs to disallow traffic from one subnet to another.

Sound correct?

Giuseppe Larosa Wed, 02/25/2009 - 12:51

Hello Richard,

you need a one to one corrispondence between IP subnets and Vlans.

Then on the SVIs (L3 interfaces) you can apply ACLs to limit IP connectivity between IP subnets.

So your understanding is correct.

your ACL will block communication from subnet 10.4.30.0/24 to 10.4.4.0/24 and to 10.4.70.0/24

Hope to help

Giuseppe

arvind.thevendr... Mon, 03/02/2009 - 05:25

Hi,

This is relevance to your first question.

If you change native vlan to 4. I am not sure whether the hosts defined without vlan sits on Vlan1. I think it sits on Vlan 4.

Second question: Restricting traffic between VLAN's.

1) Create interface VLAN

2) Define an IP address for those VLAN

3) Point the gateway for the hosts under those VLAN to this VLAN interface IP.

4) To restrict traffic define access-list on those interface VLAN.

Actions

Login or Register to take actions

This Discussion

Posted February 24, 2009 at 1:09 PM
Stats:
Replies:7 Avg. Rating:4
Views:240 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard