Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2420
Views
0
Helpful
9
Replies

Inter vlan routing

robertson.mike
Level 1
Level 1

‎05-07-2012 09:03 AM - edited ‎03-07-2019 06:33 AM

My core switch is a 6509-e and my IDF closets have 3750's.

I have a couple of vlans currently setup, that can communicate with each other.

VTP is setup Client/Server where as my core is Server, all IDF's are Client.

What i'm trying to do is create an isolated VLAN.  I want to setup a DHCP scope and use helper address.  When i plug in a client to that VLAN, i want it to get an IP, but not have any other network access.

Is this possible to do without switching to Transparent mode?

If not - what reprocussions will i see by switching to transparent mode?

Labels:
0 Helpful
9 Replies 9

rizwanr74
Level 7
Level 7

‎05-07-2012 11:11 AM

Hi Mike,

You can use VACL to isolating a vlan from rest of the networks, please read this thread below.

https://supportforums.cisco.com/message/3581631#3581631

Please rate helpful post.

thanks

Rizwan Rafeek

0 Helpful

rizwanr74
Level 7
Level 7

‎05-09-2012 07:44 PM

Please rate helpful post.

thanks

0 Helpful

Lee Shouse
Level 1
Level 1
In response to rizwanr74

‎05-21-2012 10:22 PM

Why not set up a private vlan? Although you would need to change that particular switch to transparent mode, since vtp can't pass private vlan info, it would be the most secure setup. As previously mentioned, vacl would work too but not as secure.

Sent from Cisco Technical Support iPad App

0 Helpful

Tagir Temirgaliyev
Spotlight
Spotlight

‎05-28-2012 11:21 PM

Hi

above it is written correctly and there is one more simple way

to create an isolated VLAN just do not create default gateway.

setup a DHCP scope whithout default gateway or use wrong default gateway.

and so when you plug in a client to that VLAN,  it to get an IP, but not have any other network access.

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Tagir Temirgaliyev

‎06-09-2012 11:37 PM

Also you can create VTP pruning to protect the isloated vlan information to be shared to the other vlans and vice versa....

0 Helpful

rizwanr74
Level 7
Level 7

‎06-17-2012 04:31 AM

Hi Mike,

Please rate helpful post, if this has been resolved already.

thanks.

0 Helpful

Hari Haran S M
Cisco Employee
Cisco Employee

‎07-05-2012 04:24 AM

Hi Mike,

You can keep the switch as VTP client and achieve this. Follow the below steps,

=> Configure a access list allowing IP's that the isolated VLAN has to access [DHCP server]

=> Deny all other traffic in the access list

=> Apply the Access list in SVI interface of that VLAN

Using the above you should be able to isolate the VLAN from access the other vlan's.

If you would like to block traffic between hosts in the same vlan then you can use VLAN access Map [VACL]

Hope this helps!!!

0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎08-01-2012 01:46 AM

Hi Mike,

Hope this is yor questions answer:

I am using like this:

Core switch config:
service password-encryption
!
hostname nnXCI001
!
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
!
username xxxxx


switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750v2-48ts

system mtu routing 1500

vtp domain location

vtp mode transparent

ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name xxx.xxxx.com
no ip dhcp use vrf connected

!
!
ip dhcp snooping vlan 21-26
ip dhcp snooping
!
spanning-tree mode mst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree uplinkfast
!
spanning-tree mst configuration
name location
revision 1
instance 1 vlan 1, 21-26,
!
spanning-tree mst 0-1 priority 24576
spanning-tree vlan 1,21-26 priority 24576
!
vlan internal allocation policy ascending
!
vlan 7
name FW-Transfer
!
vlan 21
name Data_VLAN21
!
vlan 22
name Data_VLAN22
!
vlan 23
name Data_VLAN23
!
vlan 24
name Data_VLAN24
!
vlan 25
name Data_VLAN25
!
vlan 26
name Data_VLAN26

!
ip tftp source-interface Vlan1
ip ssh version 2
!.

.

.

all Ports

.

Int fa0/1

Description **** DHCP 10.xx.21.1 server****

ip dhcp snooping trst

.

.

.

.

.


interface Vlan1
ip address 10.xx.1.1 255.255.255.0
!
interface Vlan7
ip address 10.xx.7.1 255.255.255.0
!
interface Vlan21
ip address 10.xx.21.254 255.255.255.0
!
interface Vlan22
ip address 10.xx.22.254 255.255.255.0
ip helper-address 10.XX.21.1
!
interface Vlan23
ip address 10.xx.23.254 255.255.255.0
ip helper-address 10.XX.21.1
!
interface Vlan24
ip address 10.xx.24.254 255.255.255.0
ip helper-address 10.XX.21.1
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.xx.7.254
no ip http server
ip http authentication local
ip http secure-server

!

end

this is just the example.

May be u can use like this.

Regards

Please rate if it helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card