Good, I have a 4506. Now can you create Access-list to limit the access from one vlan to an other?

If so where can I read about this?

Thanks

Hi,

Yes youc an define ACLs...

Here is an example ACL:

Lets say 10.0.1.0 /24 VLAN 2

and 10.0.2.0 /24 VLAN 3

and we are gonna restrict telnet access to VLAN3 from VLAN2

access-list 101 deny tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 eq telnet

access-list 101 permit ip any any

Here is the link for ACL configuration

http://www.sans.org/reading_room/whitepapers/networkdevs/231.php

Pls rate all Posts

and then I apply this access-list 101 to the VLAN2 like this:

interface Vlan2

ip address 10.0.1.0 255.255.255.0

ip access-group 101 out

right?

i think it should be

ip access-group 101 in

Cuz, we are gonna check packets from VLAN2 to VLAN3 so the router should check incoming packets from VLAN2...

Otherwise you can define that accee-list on VLAN3 interface as out direction. This time This time router will check outgoing packets to VLAN3...

But the best is to apply on VLAN2... Cuz we are creating extended ACL...

It is better to apply Extended ACLs near to source...

It is better to appy Standard ACLs near to Destionation...

Hope it helps..

Pls Rate all Posts

Ok, I created a VLAN (VLAN 100) and a give it an IP.

IP Address 10.10.100.100 /24

and I enabled IP routing on the switch.

I also connected a host to that VLAN.

Now the host can ping the switch on ip 10.10.100.100 but it can not see any other host on any other VLAN.

Is there something I have to do with the port where to host is connected? or some other global settings?

here is what the port setting are:

interface GigabitEthernet4/42

switchport access vlan 100

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

macro description cisco-desktop

spanning-tree portfast

spanning-tree bpduguard enable

Do I need to disable switchport? or maybe I need to turn the port into a trunk? I would rather not.

Thanks

Pls check 'show ip route' command.. You should verify that two routes are there. These two routes (I assume in a different subnet). If there is no route on the routing table, you should add them by using 'ip route' command.

In this configuration you dont need trunk ports...

Just I wanna be sure... Your network is like one switch

and two host are connected to that switch. And they are in different VLANS. In this network you dont need it. But if you have a router, things will change.

Trunk port only carries VLAN information...

You can check the following link. They have very good explanation about VLANs...

http://www.firewall.cx

Regards...

Yes, you are correct. I can see that both VLAN have a route now. And yes it's one switch and multiple VLAN. There is a router on the first VLAN but it's for internet access and other things.

It's weired, I can ping the 2 diffrent IP of the switch on the two different VLAN from the host on the new VLAN, but I can't ping the new VLAN ip from an host on the old VLAN.

Do you understand my problem?

Thanks

Shortly here what u should do...

on the switch:

Router(config)# vlan 100

Router(config)# interface vlan 1

router(config-if)# no shut

router(config-if)# ip address 172.16.1.1 255.255.255.0

Router(config)# interface vlan 100

router(config-if)# no shut

router(config-if)# ip address 172.16.2.1 255.255.255.0

router(config)# interface fa0/1

router(config-if)# no shut

router(config-if)# switchport mode access

router(config-if)# switchport access vlan 1

router(config)# interface fa0/2

router(config-if)# no shut

router(config-if)# switchport mode access

router(config-if)# switchport access vlan 100

router(config)# ip routing

These are minimum configurations to communicate 2 hosts in 2 seperate VLANs without requirement a router.

Check this again and try ping host from switch...

Pls let me know how it goes...

Ok, I got it working.

I had to change the default gateway on the host to the switch IP (VLAN IP). It makes sense.

But now if I want to roll this out I need to change the DHCP server so that it gives the new default gateway address. On the switch I have the default route set to the old gateway, I hope with this it will have no effects. What do you guys think? Maybe I should just put all the static routes I have on the old gateway on the switch and ditch the old gateway.