05-20-2009 12:39 PM - edited 03-06-2019 05:50 AM
Hello,
I have 10 vlans created on a 4500 switch.I don't want intervlan communication ip routing is enabled.I do not want to use private vlans because i want the switch to be in vtp server mode.SVI access lists will be too long to implement for 10 vlans.Is there a simple and shorter way to enable that restriction ?
05-20-2009 01:43 PM
If you have routing enabled, and you have several svi's, all of the traffic will be able to traverse every svi on the switch. You'll need to create an acl for every svi that you want to restrict.
You can use inbound or outbound acls depending on what you want to block, but there's not a shortcut unfortunately.
HTH,
John
05-20-2009 02:15 PM
You can configure VRF-Lite
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/vrf.html
HTH,
__
Edison.
05-20-2009 04:23 PM
Edison,
That's really cool. I'm playing around with it in gns, and it works well.
John
05-20-2009 04:59 PM
If you want no intervlan communication between any vlans just remove the SVI definitions on the vlans and let it run as a layer 2 switch though I can't imagine any network that doesn't have to be routed for one reason or another . You never have to have devices talk between any of those vlans or they don't have to be routed anywhere else ?
05-22-2009 01:30 AM
In fact the administrator should be able to communicate with any vlans but users not.So inter vlan communication should be enabled on all vlans.
05-22-2009 01:58 AM
You could always take the default gateways off the clients and just use static routes to allow end clients to talk to authorised devices.
Not an elegant way, but would solve your problem.
05-22-2009 07:20 AM
Nice solution, thanks
But
Authorised devices the client should talk to are on the distribution switch and SVIs are created on the distribution switch.
In that case where will the route be applied ? Is it on the access switch or distribution switch?
05-22-2009 11:49 AM
Hi
Just to add,if u r going to remove the default gateway from the clients then make sure that u disable proxy-arp under u r svi's
Thanks
Mahmood
05-22-2009 12:23 PM
There is no proxy-arp command under svi.
05-22-2009 11:45 AM
Hello,
This will not work because connected route have AD of 0 but static route have AD of 1 and and the switch will use connected routes.With connected routes you need to define default gateway
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: