07-19-2006 12:23 PM - edited 03-03-2019 04:07 AM
Is is possible to link 2 VLAN on the same switch without a router? If so how?
Thanks
07-19-2006 12:32 PM
You certainly can do so with L3 switches (e.g. 3550/3560/3750 etc) which allows the creation of vlan interfaces to enable inter-vlan routing. If all you have is a L2 switch, you need to use a router.
Paresh.
PS. Pls do rate posts.
07-20-2006 12:15 AM
Good, I have a 4506. Now can you create Access-list to limit the access from one vlan to an other?
If so where can I read about this?
Thanks
07-20-2006 12:36 AM
Hi,
Yes youc an define ACLs...
Here is an example ACL:
Lets say 10.0.1.0 /24 VLAN 2
and 10.0.2.0 /24 VLAN 3
and we are gonna restrict telnet access to VLAN3 from VLAN2
access-list 101 deny tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 eq telnet
access-list 101 permit ip any any
Here is the link for ACL configuration
http://www.sans.org/reading_room/whitepapers/networkdevs/231.php
Pls rate all Posts
07-20-2006 01:26 AM
and then I apply this access-list 101 to the VLAN2 like this:
interface Vlan2
ip address 10.0.1.0 255.255.255.0
ip access-group 101 out
right?
07-20-2006 01:54 AM
i think it should be
ip access-group 101 in
Cuz, we are gonna check packets from VLAN2 to VLAN3 so the router should check incoming packets from VLAN2...
Otherwise you can define that accee-list on VLAN3 interface as out direction. This time This time router will check outgoing packets to VLAN3...
But the best is to apply on VLAN2... Cuz we are creating extended ACL...
It is better to apply Extended ACLs near to source...
It is better to appy Standard ACLs near to Destionation...
Hope it helps..
Pls Rate all Posts
07-20-2006 04:57 AM
Ok, I created a VLAN (VLAN 100) and a give it an IP.
IP Address 10.10.100.100 /24
and I enabled IP routing on the switch.
I also connected a host to that VLAN.
Now the host can ping the switch on ip 10.10.100.100 but it can not see any other host on any other VLAN.
Is there something I have to do with the port where to host is connected? or some other global settings?
here is what the port setting are:
interface GigabitEthernet4/42
switchport access vlan 100
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
Do I need to disable switchport? or maybe I need to turn the port into a trunk? I would rather not.
Thanks
07-20-2006 05:28 AM
Pls check 'show ip route' command.. You should verify that two routes are there. These two routes (I assume in a different subnet). If there is no route on the routing table, you should add them by using 'ip route' command.
In this configuration you dont need trunk ports...
Just I wanna be sure... Your network is like one switch
and two host are connected to that switch. And they are in different VLANS. In this network you dont need it. But if you have a router, things will change.
Trunk port only carries VLAN information...
You can check the following link. They have very good explanation about VLANs...
Regards...
07-20-2006 05:53 AM
Yes, you are correct. I can see that both VLAN have a route now. And yes it's one switch and multiple VLAN. There is a router on the first VLAN but it's for internet access and other things.
It's weired, I can ping the 2 diffrent IP of the switch on the two different VLAN from the host on the new VLAN, but I can't ping the new VLAN ip from an host on the old VLAN.
Do you understand my problem?
Thanks
07-20-2006 06:08 AM
Shortly here what u should do...
on the switch:
Router(config)# vlan 100
Router(config)# interface vlan 1
router(config-if)# no shut
router(config-if)# ip address 172.16.1.1 255.255.255.0
Router(config)# interface vlan 100
router(config-if)# no shut
router(config-if)# ip address 172.16.2.1 255.255.255.0
router(config)# interface fa0/1
router(config-if)# no shut
router(config-if)# switchport mode access
router(config-if)# switchport access vlan 1
router(config)# interface fa0/2
router(config-if)# no shut
router(config-if)# switchport mode access
router(config-if)# switchport access vlan 100
router(config)# ip routing
These are minimum configurations to communicate 2 hosts in 2 seperate VLANs without requirement a router.
Check this again and try ping host from switch...
Pls let me know how it goes...
07-21-2006 01:14 AM
Ok, I got it working.
I had to change the default gateway on the host to the switch IP (VLAN IP). It makes sense.
But now if I want to roll this out I need to change the DHCP server so that it gives the new default gateway address. On the switch I have the default route set to the old gateway, I hope with this it will have no effects. What do you guys think? Maybe I should just put all the static routes I have on the old gateway on the switch and ditch the old gateway.
07-19-2006 11:45 PM
as pkhatri said, yes you can only if you have a L3 switch... Here is how you can do if you have L3 Switch...
Step 1: Define VLANs and assign an IP to them
Step 2: Router(config)# ip routing
The above command bring switch to routing mode...
Step 3: You can define static routes...
Pls Rate all Posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide