cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3324
Views
0
Helpful
6
Replies

Connecting across VLANS on a 4948?

gdwingnuts
Level 1
Level 1

We are not sure what is going on here.  Ultimately I may have to post the config for you to give me an answer.  We have a Cisco 4948 and are able to communicate between two networks/two VLANS (172.17.x.x and 192.168.x.x) on our 4948.  We do not have inter-VLAN rounting enabled.  Is there something simple I should check within the config that would cause this?

Thanks,

Charlie.

1 Accepted Solution

Accepted Solutions

Hello,

Sorry, I was not clear in my earlier post. As soon as you enable routing on the switch (not considering the routing protocol), the switch will include and route between all the subnets it is directly connected to. So, irrespective of whether you have the subnet under EIGRP or not, the routing will still happen (this routing is happening locally). So, only way to control them is to either disable IP routing (no ip routing) or configure access-lists. If you disable routing, I am affraid some of your other services might suffer (you will not be able to send traffic out to internet from these vlans). So, the best solution is to use an access-list on the interface and block the communication.

Hope this helps.

Regards,

NT

View solution in original post

6 Replies 6

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Do you have any other layer 3 device in the network? What are the default gateways of these two subnets? You might want to check the default gateway device to see if it is doing the routing. If the default gateway is 4948 itself, then issue a "show ip route" to see if the routing is enabled.

Hope this helps.

Regards,

NT

NT,

Below is the core config of our 4948.  I omitted the header config, footer config and the Interface Configs in the interest of time.  What is happening is our workstations are on the 172.x.x.x network and they are able to view a web management interface from devices on our 192.168.41.0  VLAN network.  We don't want this to happen.  I see in the IP DHCP POOL config that the dns server is the same could this be providing the 172 vlan access to the 192.168.41.x vlan?

Thank you,

Charlie

ip ssh version 2

ip ssh time-out 60

ip ssh authentication-retries 3

!

cef table consistency-check IPv4 error-message

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip icmp rate-limit unreachable 1000

no ip domain-lookup

ip dhcp excluded-address 172.17.20.0 172.17.20.199

ip dhcp excluded-address 172.17.20.251 172.17.20.255

ip dhcp excluded-address 192.168.41.0 192.168.41.199

ip dhcp excluded-address 192.168.41.251 192.168.41.255

!

ip dhcp pool ALPHA_NETWORK

   network 172.17.20.0 255.255.255.0

   default-router 172.17.20.46

   dns-server 172.17.20.43

!

ip dhcp pool BRAVO_NETWORK

   network 192.168.41.0 255.255.255.0

   default-router 192.168.41.254

   dns-server 172.17.20.43

!

!

no ip bootp server

ip vrf mgmtVrf

!

ip multicast-routing

tp domain ddte

vtp mode transparent

!

!

!

power redundancy-mode redundant

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10

name DATA_VLAN

!

vlan 20

name MGMT_VLAN

!

vlan 100

name EXT_VLAN

!

ip tcp synwait-time 10

ip telnet hidden addresses

!

!

interface Loopback0

ip address 10.0.0.121 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

no ip route-cache cef

no ip route-cache

no ip mroute-cache

!INTERFACE CONFIG REMOVED!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

description ALPHA_VLAN

ip address 172.17.20.46 255.255.255.0

ip pim sparse-dense-mode

no ip unreachables

no ip proxy-arp

no shutdown

!

interface Vlan20

description BRAVO_VLAN

ip address 192.168.41.254 255.255.255.0

ip pim sparse-dense-mode

no ip unreachables

no ip proxy-arp

no shutdown

!

interface Vlan100

description DELTA_VLAN

ip address 192.168.50.254 255.255.255.0

no ip unreachables

no ip proxy-arp

no shutdown

!

!

router eigrp 101

no auto-summary

network 10.x.x.x

network 172.17.x.x

network 192.168.x.x

network 192.168.x.x

!

ip local policy route-map NO_TRACEROUTE

no ip http server

no ip http secure-server

!

ip pim send-rp-announce Loopback0 scope 3

ip pim send-rp-discovery Loopback0 scope 3

!

ip access-list extended NO_TRACEROUTE

permit icmp any any time-exceeded

permit icmp any any port-unreachable

!

no cdp advertise-v2

no cdp run

!

!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hello,

From your configuration, the 4948 is doing routing (you are running EIGRP) and you have included 172.17.x.x and 192.168.41.x subnets in the routing process. I do not see any rules on the 4948 that is blocking communication between these two VLANs. So, in essence, 4948 is doing routing between these two VLANs. If you want to block communication between these two VLANs, then you need to configure access-lists and apply that to VLAN 10 interface.

Access-list 199 permit ip host 172.17.20.43 any

Access-list 199 deny ip 172.17.20.0 0.0.0.255 192.168.41.0 0.0.0.255

Access-list 199 permit ip any any

interface vlan 10

ip access-group 199 in

exit

This will ensure that your DNS server can talk to everybody, anybody else on VLAN 10 cannot talk to VLAN 20, and all other traffic (including internet and to VLAN 100) are permitted from VLAN 10.

Hope this helps.

Regards,

NT

I removed all networks from the eigrp 101 table except the 10.x.x.x network.  I was still able to view our raid device webpage between 172.17.20.x and 192.168.41.x.  The workstation is on 172 and the Raid is on the 192.168.41.x.  I must be missing something.  I will gladly use the ACL you provided but the main concern isn't so much internal VLAN crossing, it is more the potential for someone on our external network to gain access to either the VLAN 10 or the VLAN 20 network.  Our external network enters on VLAN 100.  Take a look at my config once again and see if you see any reason why our VLANS should be communicating.  Again, I did remove all of the networks from the EIGRP 101 table except the 10.x.x.x network.

Thanks for your help!

Hello,

Sorry, I was not clear in my earlier post. As soon as you enable routing on the switch (not considering the routing protocol), the switch will include and route between all the subnets it is directly connected to. So, irrespective of whether you have the subnet under EIGRP or not, the routing will still happen (this routing is happening locally). So, only way to control them is to either disable IP routing (no ip routing) or configure access-lists. If you disable routing, I am affraid some of your other services might suffer (you will not be able to send traffic out to internet from these vlans). So, the best solution is to use an access-list on the interface and block the communication.

Hope this helps.

Regards,

NT

Thanks for the support.  It looks like ACLs will be the way to go.  I appreciate the prompt replys and useful information.

Thanks again!

~

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco