Routing Traffic

nasr.khan · ‎03-07-2010

Hi

I am not able to make this work. All traffic from VLAN 75 should be routed to Internet via AP#5
Vlan 75 should not communicate with other vlans on the network. Vlan75 should be propogated on all connected user switch to define vlan on wired port. users on Vlan 75 should get IP from AP#5.

AP#5 is connected to 4506 on port fa 0/10

##Configuration on 4506

Vlan 10
interface vlan 10
ip address 192.168.1.0 255.255.255.0

vlan 11
interface vlan 11
ip address 192.168.2.0 255.255.255.0

vlan 12
interface vlan 12
ip address 10.10.10.1 255.255.254.0

vlan 13
interface vlan 13
ip address 10.10.20.1 255.255.254.0

define L2 vlan 75
Vlan 75
description Vlan75

interface fa 0/10
switchport mode access
switchport access vlan 75

router ospf 5
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 10.10.10.0 0.0.1.255
network 10.10.20.0 0.0.1.255

## configuration on 2960

interface fa 0/1
switchport mode access
switchport access vlan 75

interface fa 0/2
switchport mode access
switchport access vlan 75

interface giga 1/0
switchport mode trunk
switchport trunk encapsulation dot1q

When I created L3 for Vlan75 ; it can communicate with other vlans which I dont want.

Any help

Giuseppe Larosa · ‎03-07-2010

Hello Nasr,

>> When I created L3 for Vlan75 ; it can communicate with other vlans which I dont want.

if you don't want devices in broadcast domain vlan 75 to communicate with other vlans you simply don't need to configure the L3 object SVI Vlan75.

if you want on the switch to have an ip address to test if that AP#5 is working, you can take advantage of VRF lite concept:

ip vrf Guest

rd 100:110

route-target both 100:110

!

interface vlan 75

ip vrf forwarding Guest

ip address dhcp

no shut

you can then check IP connectivity using

ping vrf Guest destination address

the VRF provides total isolation from other SVI interfaces that are part of the Global routing table.

Hope to help

Giuseppe

nasr.khan · ‎03-07-2010

IP reachability is working, thank you sir.

it is must to use VRF.

Giuseppe Larosa · ‎03-07-2010

Hello Nasr,

>> it is must to use VRF.

it can be done also with IP ACLs applied in the SVI, but the VRF is a more elegant solution and ensures isolation over time.

if using an ACL and this is modified by mistake communication with other vlans can be permitted.

if you use VRF to allow communication with global routing table a specific configuration is needed for this reason using a VRF is safer.

Hope to help

Giuseppe

nasr.khan · ‎03-07-2010

Thanks I will start with VRF

For ACL is this only needed, i tested in lab but doesnt work.

interface Vlan75
description W_VLAN
ip address 192.168.212.1 255.255.255.248
ip nat inside
ip virtual-reassembly

ip access-list extended W-ACL
deny ip any 192.168.1.0 0.0.0.255
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255

deny ip any 10.10.10.0 0.0.0.255

deny ip any 10.10.20.0 0.0.0.255
permit ip any any

interface vlan30
ip access-group W-ACL in