If set up a trunk link between an external router and a managed switch to allow all traffic from VLANs on the managed switch to travel across the trunk link, will this automatically enable inter-VLAN routing? Is there a way to enable all traffic to use the trunk link, but not have inter-VLAN routing? I'm using a 2621 router and a 2924 switch.
First, the router has to have a fast ethernet interface to support trunking. Sub-interfaces must be created under that interface specifing the encapsulation method (ISL or 802.1Q). Here is a site that explains it for you.
If you are bringing the VLANs into a router and assign IP addresses to the VLAN interfaces those interfaces will be connected interfaces and the router will route between them. Why are you bringing VLANs into a router if you don't want to route them???
You can use access-lists on the VLAN interfaces to permit/deny traffic.
If you want to trunk the VLANs into interface e0/0 on the router and have the VLAN traffic go back out e0/1 then you can bridge between the interfaces. Just create a subinterface and configure 'bridge-group #' on it with no ip address.
I am confused.
If you creat a suinterface and configure 'bridge-group' on it, the two subinterface will communicate with each other on layer 2. It is not safe. Do you think so?
Thanks for the information. It looks like I will not be using a router. If I do not use a router then the VLANs will not be able to communicate with each other; however, will the machines on a VLAN be able to receive any traffic from outside of their VLAN? For example, if I have a firewall that is forwarding traffic out a specific interface to a machine located on a VLAN. The firewall is not routing the traffic only forwarding out an interface based on a secondary network assigned to the firewall interface. Will that machine be able to receive the traffic without having to be attached to a router?
What are trying to accomplish?
In your original post, you want to trunk VLANs from a switch to a 2621 router but don't want to route the VLANs. Why then, trunk them to a router if you don't want to route the VLANs?
For users in one VLAN to talk to users in another VLAN they have to go through a device that routes.
Most firewalls with multiple interfaces or IP's route. If you set the default gw to the firewall address then the firewall will route that packet for the networks it has routes for. You should be able to do a 'netstat -r' to get the routing table from a NT based or unix based fw.
Here is what I am trying to accomplish. I need to create 3 subnets which cannot communicate to one another yet pass all traffic through the same firewall to and from the Internet. I was wondering if I could setup 3 VLANs on a Catalyst switch, then connect the switch to directly to the firewall and pass all traffic through one port on the firewall. The firewall is a WatchGuard Firebox. My main source of confusion is the firewall. The only support Watchguard provides for VLANs is a statement which reads "VLAN header information must be stripped from the packets before they reach the FIreBox". This is why I thought I would need to put a router between the switch and the firewall. Any ideas are greatly appreciated.
The quote about the VLAN headers being stripped means the FireBox doesn't support 802.1q/ISL for VLANs.
You can put the firebox in it's own VLAN, then have a VLAN trunk port to the Cisco 2621 that includes the 4 VLANS (3 subnets + firewall subnet). Set the users default gw to the router subinterface for their VLAN. To prevent users on the different subnets from accessing the other subnets use access-lists on the router subinterface to permit traffic from the subnet to the firewall only and back.
Thanks a lot for clearing up my confusion. One more question: in the design you mentioned earlier, is the 2621 only there to route VLAN information?
The 2621 is a full-blown router so can also have WAN connections (ppp, frame, hdlc, etc), ATM, VoIp. Plenty of product/feature info on the cisco web pages.
You could have a site with a couple switches attached together and then one of the switch ports is trunked into the 2621 to route between the VLANs at the site. The 2621 could also have WAN connection to other offices across the country, etc.