02-24-2009 01:09 PM - edited 03-06-2019 04:13 AM
If I utilize vlans, all ports are by default a member of vlan 1 correct? So all devices in the same subnet, connected to a un-configured port should be able to ping each other because they are all part of vlan 1, sound right?
How about the following scenarios:
interface FastEthernet1/0/40
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport mode access
switchport voice vlan 70
spanning-tree portfast
02-24-2009 01:17 PM
Hello Richard,
the port is still in vlan 1:
the command that decides the port behavior is:
switchport mode access
so this is a port with data vlan 1 and voice vlan 70.
the commands
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
are not effective because the switchport mode is access.
if the mode is changed to trunk these commands are applied.
you can verify the effective settings with
sh int f0/0 switchport
Hope to help
Giuseppe
02-24-2009 04:44 PM
Good post Giuseppe!
02-25-2009 07:46 AM
So 10.4.4.34/24 and 192.168.2.14/24 are on two different networks. Using VLANs they can communicate if they are on the same VLAN despite the fact that they are on two different networks. Is this correct?
If it is, does VLAN assignment act as routing "control"? Network A can access Network B if they are on the same VLAN?
I have a layer 3 switch, but I cannot really see where the routing control is done for the VLANs. I mean on a router you would have an ACL to block networks or hosts, on an intranet using VLANs where would you allow or disallow inter-VLAN communication.
Ex.
I have 3 VLANS 2,3,4
I want hosts in VLAN 4 to be able to communicate with hosts in VLAN 2, and I want hosts in VLAN 3 to communicate with hosts in VLAN 2, but I never want VLAN 3 hosts to communicate (see VLAN 4 traffic) with VLAN 4.
I am sure there is some fundamental understanding I have completely missed, so pardon the ignorance, but please help me understand vlan routing.
02-25-2009 07:50 AM
Update:
I can see where the layer 3 switch knows the VLAN assignments and the related subnets, but can I incorporate ACLs to block traffic from one VLAN to another.
02-25-2009 08:45 AM
Update:
Ok...I see an entry like this:
ip access-list extended student
deny ip 10.4.30.0 0.0.0.255 10.4.4.0 0.0.0.255
deny ip 10.4.30.0 0.0.0.255 10.4.70.0 0.0.0.255
permit ip any any
So I can see now that once you have defined your vlans related subnets on the layer 3 switch, you add ACEs to disallow traffic from one subnet to another.
Sound correct?
02-25-2009 12:51 PM
Hello Richard,
you need a one to one corrispondence between IP subnets and Vlans.
Then on the SVIs (L3 interfaces) you can apply ACLs to limit IP connectivity between IP subnets.
So your understanding is correct.
your ACL will block communication from subnet 10.4.30.0/24 to 10.4.4.0/24 and to 10.4.70.0/24
Hope to help
Giuseppe
03-02-2009 05:25 AM
Hi,
This is relevance to your first question.
If you change native vlan to 4. I am not sure whether the hosts defined without vlan sits on Vlan1. I think it sits on Vlan 4.
Second question: Restricting traffic between VLAN's.
1) Create interface VLAN
2) Define an IP address for those VLAN
3) Point the gateway for the hosts under those VLAN to this VLAN interface IP.
4) To restrict traffic define access-list on those interface VLAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide