3520 switch vlans and inter vlan routing

Unanswered Question
Apr 8th, 2009
User Badges:

Dear All,


I have a cisco 3520 switch, i am creating vlans 2-10, first vlan is available by default,


My servers are in Vlan 1, and I want that my users in other vlans only communicate with servers i.e. vlan 1


switch ports are assigned to vlans

vlan 1 ip address 192.168.1.1

vlan 2 ip address 192.168.2.1

vlan 3 ip address 192.168.3.1

and so on


please advise me any proper solution,


Regards,


Junaid

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Wed, 04/08/2009 - 06:50
User Badges:
  • Blue, 1500 points or more

First, get your servers out of vlan 1. It is not a good practice to use vlan 1 for user data. vlan 1 carries control plane traffic between switches and it should be left that way.


Second, you can create an ACL that permits traffic only from the server vlan and denies all other user traffic originated in other vlans, and then apply it to all the user vlan interfaces.


switch(conf t)#access-list 10 permit 192.168.1.0


switch(conf t)#int range vlan 2 - 10

switch(conf t)#ip access-group 10 out


There is an implicit "deny" at the end of the ACL.


An access-list applied outbound to a vlan interface is for traffic going TO machines on that vlan.


An access-list applied inbound to a vlan is for traffic coming FROM machines on that vlan.


HTH


Victor

junshah22 Sat, 04/11/2009 - 02:34
User Badges:

Dear Victor,


I applied your commands on my switch,,, but i am facing a problem..


I moved my servers from vlan 1 to vlan 11 but the ip is same 192.168.1.1


Desktop PCs in other vlans (2-10) are unable to communicate with servers in vlan 11


Desktops can ping 192.168.1.1

but unable to ping 192.168.1.17


i added a default route

ip route 0.0.0.0 0.0.0.0 192.168.1.0


and a ip default route command


ip default-gateway 192.168.1.0


but its still unable to communicate with servers,,


WAITING FOR YOUR PROMPT REPLY


THANKS


Junaid

greg.washburn Wed, 04/08/2009 - 06:54
User Badges:

Based on my interpretation of your scenario you would want to use acls on the switch to allow communication from each ip address range to vlan 1 address range, allow vlan 1 address range to talk to any ip, and block all other communications from vlan 2-10 ip address ranges.

Actions

This Discussion