I have a VLAN that i do not want any other VLAN to have access to. This vlan is spread accross 2 external sites via t1. How can i make my 3725 Router not rout between my other vlans and the one in question?
Thank you in advance!
Solved! Go to Solution.
You need to implement VACLs, check out this link
Thanks for your Help EdisonOrtiz. This document does not seem to cover the 3700 series routers. I an unable to complete any of these commands. Any thoughts?
I'm sorry, I read too fast I thought you were talking about a 3750 switch.
You will need to implement PBR (Policy Based Routing).
Can you give us a quick network layout on what you want to do ?
I have 5 locations with P2P t1 to our main location. I have created a new VLAN at our main location (1) and location number (3). What i need to do is have vlan 54 in location 1 and 3, and i'm using the 3725 router to route accross the t1 line. I would not like an other vlan or location, pretty much any other piece of equipment to be able to talk to vlan 54 other than what is in the vlan 54 subnets. Again, i really appriciate the help
Are you routing or bridging this VLAN ? I'm a little confused when you mentioned having VLAN54 on two separate locations.
It seems that you are routing with other 5 locations therefore you can't bridge and route ip on the same router.
So you can't extend this VLAN over the T1 as you stated in your initial post, you will have to route it.
You can protect this VLAN on the hub location by connecting it to fa0/1 on the 3725 Router (I believe you are already using fa0/0 for the rest of the networks) and implement the necessary ACLs.
will you please explain your connectivity and configuration in detail?
If you use the router on stick for the intervlan communication then you can use the acceslist for the periticular host to communicate with the vlan
Have 35 hosts connected to a 4506 switch. I need these hosts to be separated from the rest of the network. I also will have 7 hosts in a another location already connect via t1 to a serial interface on our 3725 router. Created a vlan on the 4506. As soon as i created a subinterface on the router, everyone can connect to that vlan. i am trying to restrict that so that it only goes over the t1 to the other location with the same vlan.
1) Create a layer 2 vlan in the 4506 switch for those 35 hosts.
2) The router has 2 LAN ports. Connect the second LAN port to a port on that VLAN and assign an IP, this will be the default gateway for hosts on that VLAN.
3) Create ACLs on that fastethernet interface, example:
ip access-group 101 in
access-list 101 permit ip [remote VLAN] [siteA VLAN]
4) Do the same at the other end.
Please rate helpful posts.
Thanks EdisonOrtiz, I applied the following config changes but still can pin an ip address in this subnet from my workstation in another subnet. What am i doing ront. i used a subinterface of fa0/0
access-list 154 permit ip 10.83.0.64 0.0.0.63 10.83.0.0 0.0.0.63
encapsulation dot1Q 54
ip address 10.83.0.1 255.255.255.192
ip access-group 154 in
no ip route-cache
on that inferface and also turn debugging against ACL 154 to see if it's going thru the ACL.
You don't have fa0/1 available for this VLAN ?
No, i do not have int fa0/1 available. I tried no ip route-cache and also debug ip packet 154 detail and i didn't see anything come through