Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
3
Replies

3520 switch vlans and inter vlan routing

junshah22
Level 1
Level 1

‎04-08-2009 06:14 AM - edited ‎03-06-2019 05:04 AM

Dear All,

I have a cisco 3520 switch, i am creating vlans 2-10, first vlan is available by default,

My servers are in Vlan 1, and I want that my users in other vlans only communicate with servers i.e. vlan 1

switch ports are assigned to vlans

vlan 1 ip address 192.168.1.1

vlan 2 ip address 192.168.2.1

vlan 3 ip address 192.168.3.1

and so on

please advise me any proper solution,

Regards,

Junaid

Labels:
0 Helpful
3 Replies 3

lamav
Level 8
Level 8

‎04-08-2009 06:50 AM

First, get your servers out of vlan 1. It is not a good practice to use vlan 1 for user data. vlan 1 carries control plane traffic between switches and it should be left that way.

Second, you can create an ACL that permits traffic only from the server vlan and denies all other user traffic originated in other vlans, and then apply it to all the user vlan interfaces.

switch(conf t)#access-list 10 permit 192.168.1.0

switch(conf t)#int range vlan 2 - 10

switch(conf t)#ip access-group 10 out

There is an implicit "deny" at the end of the ACL.

An access-list applied outbound to a vlan interface is for traffic going TO machines on that vlan.

An access-list applied inbound to a vlan is for traffic coming FROM machines on that vlan.

HTH

Victor

0 Helpful

junshah22
Level 1
Level 1
In response to lamav

‎04-11-2009 02:34 AM

Dear Victor,

I applied your commands on my switch,,, but i am facing a problem..

I moved my servers from vlan 1 to vlan 11 but the ip is same 192.168.1.1

Desktop PCs in other vlans (2-10) are unable to communicate with servers in vlan 11

Desktops can ping 192.168.1.1

but unable to ping 192.168.1.17

i added a default route

ip route 0.0.0.0 0.0.0.0 192.168.1.0

and a ip default route command

ip default-gateway 192.168.1.0

but its still unable to communicate with servers,,

WAITING FOR YOUR PROMPT REPLY

THANKS

Junaid

0 Helpful

greg.washburn
Level 1
Level 1

‎04-08-2009 06:54 AM

Based on my interpretation of your scenario you would want to use acls on the switch to allow communication from each ip address range to vlan 1 address range, allow vlan 1 address range to talk to any ip, and block all other communications from vlan 2-10 ip address ranges.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card