01-29-2008 11:37 AM - edited 03-03-2019 08:28 PM
I have configured intervlan in Multilayer switches. But i need to separate one vlan, vlan 100 from other vlan..but i just allow only subnet on vlan 100 can access the vlan 100..all other subnet in other vlan cannot access it. How the configuration works?
Solved! Go to Solution.
01-29-2008 12:42 PM
Hi,
As far as I understand, you configured inter-vlan routing in a multilayer switch and you want to disable all other vlans to access vlan100 subnet or hosts on vlan100 to access other vlans.
If you configured interface vlan100 with an ip address, then you just have to remove the ip address from interface vlan100 with the "no ip address" command. Then there will be no routing on that interface and vlan100 will be completely isolated from other vlans.
Also, if vlan100 is configured on multiple switches, then you will need to configure a layer2 trunk between the switches that will carry vlan100:
To configure a trunk:
interface gigabitethernet 1/1
switchport
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100
no shutdown
Configure the trunk on both switches on both sides of a trunk link of course.
Is this what you wanted?
Cheers:
Istvan
02-02-2008 12:52 PM
Hi,
You can configure VACLs but it may not be a scalable method to achieve your purpose.
From scalability and manageability point of view Cisco recommends to apply security or traffic optimization purpose traffic filtering on layer 3 intefaces in the distribution layer switches.
Therefore I suggest to apply an access-list to the vlan100 interface on your multilayer switch or switches.
If you want to configure VACLs anyway, I would suggest to look at this URL, as I haven't got enough space here to describe it:
Cheers:
Istvan
01-29-2008 12:42 PM
Hi,
As far as I understand, you configured inter-vlan routing in a multilayer switch and you want to disable all other vlans to access vlan100 subnet or hosts on vlan100 to access other vlans.
If you configured interface vlan100 with an ip address, then you just have to remove the ip address from interface vlan100 with the "no ip address" command. Then there will be no routing on that interface and vlan100 will be completely isolated from other vlans.
Also, if vlan100 is configured on multiple switches, then you will need to configure a layer2 trunk between the switches that will carry vlan100:
To configure a trunk:
interface gigabitethernet 1/1
switchport
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100
no shutdown
Configure the trunk on both switches on both sides of a trunk link of course.
Is this what you wanted?
Cheers:
Istvan
01-31-2008 12:33 PM
HI
Thanks for the info..But if I dont config the IP adrress at int vlan 100, how come the client of the vlan 100 will choose their gateway to coming out..supposely to ave ip on the int vlan 100.. i need to block the incoming traffic and outgoing traffic from vlan 2,3,4,5 to vlan 100 and allow only vlan 11 to communicate with vlan 100.
how to achieve that using vlan access-map or VACL?
02-02-2008 12:52 PM
Hi,
You can configure VACLs but it may not be a scalable method to achieve your purpose.
From scalability and manageability point of view Cisco recommends to apply security or traffic optimization purpose traffic filtering on layer 3 intefaces in the distribution layer switches.
Therefore I suggest to apply an access-list to the vlan100 interface on your multilayer switch or switches.
If you want to configure VACLs anyway, I would suggest to look at this URL, as I haven't got enough space here to describe it:
Cheers:
Istvan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide