04-07-2003 09:12 AM - edited 03-02-2019 06:27 AM
Hi to all,
I've a question.
I've a customer that want to configure a 3550-24 with EMI installed (121-13.EA1) in this way:
a) on the port 1 will be connected a router to the WAN
b) port 2 to port 16 will be connected to VLAN1
c) port 17 to port 24 will be connected to VLAN2
d) no connection on the GE ports (no uplink/downlink)
e) the users on VLAN1 should be able to go outside (WAN)
f) the users on VLAN2 should be able to go outside (WAN)
g) the users on the VLAN1 must be isolated ( no communication with VLAN2)
Is it possible to do that ?
Many thanks in advance..
/Luigi
Solved! Go to Solution.
04-08-2003 08:22 AM
The users in vlan20 will be able to reach the wan router using the vlan20 address and both vlans can reach its wan address. if you want to control telnet access to the router use an access list and apply it as an access class to the VTY lines.
! first identify the addresses that can telnet to the router, if there are any
access-list 103 permit tcp host x.x.x.x any eq telnet
! then block everyone else
access-list 103 deny ip any any
! then apply it
line vty 0 15
access-class 103 in
04-07-2003 11:39 AM
yes, use extended access lists on the input of each vlan that deny traffic going between the ip networks of the two vlans. Something like
int vlan1
ip address 1.1.1.1 2555.255.255.0
ip access-group 101 in
int vlan2
ip addr 2.2.2.1 255.255.255.0
ip access-group 102 in
access-list 101 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 102 permit ip any any
04-08-2003 07:29 AM
Hi Richard,
As suggested, I used the following configuration(test) .
Could you please check if somethings is wrong ?
My best regards
/Luigi
Current configuration : 3202 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
!
hostname TEST
!
enable secret
!
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/3
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/4
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/5
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/7
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/8
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/9
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/10
switchport access vlan 20
!
interface FastEthernet0/11
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/12
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/14
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/15
switchport access vlan 20
!
interface FastEthernet0/16
switchport access vlan 20
switchport mode access
no ip address
!
interface FastEthernet0/17
switchport access vlan 30
switchport mode access
no ip address
!
interface FastEthernet0/18
switchport access vlan 30
switchport mode access
no ip address
!
interface FastEthernet0/19
switchport access vlan 30
switchport mode access
no ip address
!
interface FastEthernet0/20
switchport access vlan 30
!
interface FastEthernet0/21
switchport access vlan 30
switchport mode access
no ip address
!
interface FastEthernet0/22
switchport access vlan 30
switchport mode access
no ip address
!
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
no ip address
!
interface FastEthernet0/24
switchport access vlan 30
switchport mode access
no ip address
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface Vlan20
ip address 10.10.10.1 255.255.255.0
ip access-group 101 in
!
interface Vlan30
ip address 10.20.20.1 255.255.255.0
ip access-group 102 in
!
router rip
network 0.0.0.0
!
no ip classless
ip http server
!
!
access-list 101 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip any any
04-07-2003 03:47 PM
Personally, I would be inclined to create a third vLAN and assign port 1 to that so that you are routing purely through the vLANs and using the physical interfaces as layer 2 interfaces assigned to their appropiate vLANs.
The other thing is that I would deploy vLAN ACLs (VACLs) rather than traditional ACLs because that would vastly increase the overall performance of the switch.
Have a look at
or else to a search on "vlan ACLs"
04-08-2003 07:50 AM
It looks right as far as blocking traffic between hosts on vlan20 and vlan30. The problem is your uplink to the internet router is in vlan 20. vlan30 hosts should still be able to reach the internet because in the process they are never talking to a vlan20 address, just passing through. But they will not be able to ping the internet routers interface that is on port 1 of the switch because it is a vlan20 address. L.Druett's suggestion for the 3rd vlan would solve that. He also suggested vlan acls which I'm not familiar with and may be an improvement. Although it sounds like a small installation where the internet uplink is going to be the bottleneck.
04-08-2003 08:06 AM
Thats sound goods because all of the hosts ( in both vlans) can be able to run outside (internet or WAN) and at the same time, they will be never able to reach/telnet the internet router....
I'm right ? And what about the traffic incoming from WAN link ?
Many thaks in advance.
/Luigi
PS: due to a temporary lack of postsales engineer on my company, I'm on duty after 5 year without play network devices, so, forgive me for any mistake.
04-08-2003 08:22 AM
The users in vlan20 will be able to reach the wan router using the vlan20 address and both vlans can reach its wan address. if you want to control telnet access to the router use an access list and apply it as an access class to the VTY lines.
! first identify the addresses that can telnet to the router, if there are any
access-list 103 permit tcp host x.x.x.x any eq telnet
! then block everyone else
access-list 103 deny ip any any
! then apply it
line vty 0 15
access-class 103 in
04-08-2003 08:29 AM
Many many thanks.
My Best regards
/Luigi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: