cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
3
Helpful
7
Replies

3550 VLAN and L3

ldionisio
Level 1
Level 1

Hi to all,

I've a question.

I've a customer that want to configure a 3550-24 with EMI installed (121-13.EA1) in this way:

a) on the port 1 will be connected a router to the WAN

b) port 2 to port 16 will be connected to VLAN1

c) port 17 to port 24 will be connected to VLAN2

d) no connection on the GE ports (no uplink/downlink)

e) the users on VLAN1 should be able to go outside (WAN)

f) the users on VLAN2 should be able to go outside (WAN)

g) the users on the VLAN1 must be isolated ( no communication with VLAN2)

Is it possible to do that ?

Many thanks in advance..

/Luigi

1 Accepted Solution

Accepted Solutions

The users in vlan20 will be able to reach the wan router using the vlan20 address and both vlans can reach its wan address. if you want to control telnet access to the router use an access list and apply it as an access class to the VTY lines.

! first identify the addresses that can telnet to the router, if there are any

access-list 103 permit tcp host x.x.x.x any eq telnet

! then block everyone else

access-list 103 deny ip any any

! then apply it

line vty 0 15

access-class 103 in

View solution in original post

7 Replies 7

rjackson
Level 5
Level 5

yes, use extended access lists on the input of each vlan that deny traffic going between the ip networks of the two vlans. Something like

int vlan1

ip address 1.1.1.1 2555.255.255.0

ip access-group 101 in

int vlan2

ip addr 2.2.2.1 255.255.255.0

ip access-group 102 in

access-list 101 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

access-list 102 permit ip any any

Hi Richard,

As suggested, I used the following configuration(test) .

Could you please check if somethings is wrong ?

My best regards

/Luigi

Current configuration : 3202 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

!

hostname TEST

!

enable secret

!

ip subnet-zero

ip routing

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

interface FastEthernet0/1

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/2

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/3

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/4

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/5

switchport access vlan 20

switchport mode access

!

interface FastEthernet0/6

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/7

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/8

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/9

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/10

switchport access vlan 20

!

interface FastEthernet0/11

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/12

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/13

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/14

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/15

switchport access vlan 20

!

interface FastEthernet0/16

switchport access vlan 20

switchport mode access

no ip address

!

interface FastEthernet0/17

switchport access vlan 30

switchport mode access

no ip address

!

interface FastEthernet0/18

switchport access vlan 30

switchport mode access

no ip address

!

interface FastEthernet0/19

switchport access vlan 30

switchport mode access

no ip address

!

interface FastEthernet0/20

switchport access vlan 30

!

interface FastEthernet0/21

switchport access vlan 30

switchport mode access

no ip address

!

interface FastEthernet0/22

switchport access vlan 30

switchport mode access

no ip address

!

interface FastEthernet0/23

switchport access vlan 30

switchport mode access

no ip address

!

interface FastEthernet0/24

switchport access vlan 30

switchport mode access

no ip address

!

interface GigabitEthernet0/1

no ip address

!

interface GigabitEthernet0/2

no ip address

!

interface Vlan20

ip address 10.10.10.1 255.255.255.0

ip access-group 101 in

!

interface Vlan30

ip address 10.20.20.1 255.255.255.0

ip access-group 102 in

!

router rip

network 0.0.0.0

!

no ip classless

ip http server

!

!

access-list 101 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip any any

L.Druett
Level 1
Level 1

Personally, I would be inclined to create a third vLAN and assign port 1 to that so that you are routing purely through the vLANs and using the physical interfaces as layer 2 interfaces assigned to their appropiate vLANs.

The other thing is that I would deploy vLAN ACLs (VACLs) rather than traditional ACLs because that would vastly increase the overall performance of the switch.

Have a look at

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008007e701.html

or else to a search on "vlan ACLs"

It looks right as far as blocking traffic between hosts on vlan20 and vlan30. The problem is your uplink to the internet router is in vlan 20. vlan30 hosts should still be able to reach the internet because in the process they are never talking to a vlan20 address, just passing through. But they will not be able to ping the internet routers interface that is on port 1 of the switch because it is a vlan20 address. L.Druett's suggestion for the 3rd vlan would solve that. He also suggested vlan acls which I'm not familiar with and may be an improvement. Although it sounds like a small installation where the internet uplink is going to be the bottleneck.

Thats sound goods because all of the hosts ( in both vlans) can be able to run outside (internet or WAN) and at the same time, they will be never able to reach/telnet the internet router....

I'm right ? And what about the traffic incoming from WAN link ?

Many thaks in advance.

/Luigi

PS: due to a temporary lack of postsales engineer on my company, I'm on duty after 5 year without play network devices, so, forgive me for any mistake.

The users in vlan20 will be able to reach the wan router using the vlan20 address and both vlans can reach its wan address. if you want to control telnet access to the router use an access list and apply it as an access class to the VTY lines.

! first identify the addresses that can telnet to the router, if there are any

access-list 103 permit tcp host x.x.x.x any eq telnet

! then block everyone else

access-list 103 deny ip any any

! then apply it

line vty 0 15

access-class 103 in

Many many thanks.

My Best regards

/Luigi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco