Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN security

I want to connect several hosts (each in a unique VLAN, not VLAN1) to a switch. This switch would be connected to a router used as a gateway to the internet. Question: would this prevent the hosts (VLANS) from communicating as long as there is no trunking protocol running between the switch and router? I don't want them to be able to communicate. I only have one 100 Mbs port on the router. Thanks.

3 REPLIES
Bronze

Re: VLAN security

To answer your question by not running trunking protocol it will prevent communication between hosts on the different vlans.

But if you don't run any trunking protocol between the router and switch then only one vlan will be able to access the router and thus the internet(whatever vlan the port connecting to the router is in).

In order to have all the hosts on different vlans access the internet you will need to trunking from the switch to the router. Then you can use access-lists on the router to prevent the vlans from talking to each other either by hosts ip addresses or by using vlan access-lists.

New Member

Re: VLAN security

Thank you for the reply. My understanding of VLANs was that the frame tagging information was stripped as it was forwarded to the router from the switch then added back when it entered the switch returning to the host. Traffic between the switch and router would be normal ethernet communication. I'm picturing this as a router on a stick since it's a stub network. Thanks.

Bronze

Re: VLAN security

Router on a stick is generally used when you want to use a router to do intervlan routing. Link below has a Router on Stick configuration:

http://www.cisco.com/warp/public/473/50.shtml

Your router is connected to a physical port on the switch, you probably assigned that port to a specific VLAN say VLAN 100. Now only those hosts in that VLAN 100 will be able to communicate with the router. None of the other hosts on different VLANs will be able to reach the router unless you have a layer 3 switch that does the intervlan routing.

97
Views
0
Helpful
3
Replies