09-09-2021 10:45 PM
do i see this right?
i have a switch (2960 L3 enabled) i have set it up to route between vlans
i have a router connected to the switch on a stick
if i set the gateway on a pc to point to the switch i will be routed on the switch
from one vlan to the other
if i set the gateway to point to the router i will be routed on the router
correct so fare?
if i create an acl on the switch to deny all access to its vlan address except chosen ones
other clients wont be abele to get routing directly on the switch
e.g if the switch has no other acls and will route from any vlan to any vlan
but the router has acl in place to deny vlan 10 to vlan 20
no client not allowed on the switch will be abele to circumvent this and access vlan 20 from vlan 10?
09-10-2021 12:12 AM
To get more clarity, Always run the ACL where Layer 3 Gateway pointed is best practice, so you are sure the first point it can easily filter than next hop., to provide suggestions, can you post an example of the config here.
09-10-2021 01:45 AM
dont have any actual acl running just to see if it will work as i think it will
also my main focus is not necessary on best practice but convenience for me
and of course that it works as intended
here what i come up with
SWITCH L3
interface Vlan10
ip address 10.0.10.2 255.255.255.0
ip access-group gateAccess in
interface Vlan20
ip address 10.0.20.2 255.255.255.0
ip access-group gateAccess in
interface Vlan30
ip address 10.0.30.2 255.255.255.0
ip access-group gateAccess in
interface GigabitEthernet0/0/1
description vlan 10
switchport access vlan 10
switchport mode access
interface GigabitEthernet0/0/2
description vlan 20
switchport access vlan 20
switchport mode access
interface GigabitEthernet0/0/3
description vlan 30
switchport access vlan 30
switchport mode access
interface GigabitEthernet0/0/4
description Trunk
switchport trunk allowed vlan 10,20,30
switchport mode trunk
ip access-list extended gateAccess
permit tcp any any established
permit ip 10.0.10.10 0.0.0.0 any
deny ip any 10.0.10.2 0.0.0.0
deny ip any 10.0.20.2 0.0.0.0
deny ip any 10.0.30.2 0.0.0.0
permit ip any any
ROUTER
interface Vlan10
ip address 10.0.10.1 255.255.255.0
ip access-group gateAccess in
interface Vlan20
ip address 10.0.20.1 255.255.255.0
ip access-group gateAccess in
interface Vlan30
ip address 10.0.30.1 255.255.255.0
ip access-group gateAccess in
interface GigabitEthernet0/0/1
description Trunk
switchport trunk allowed vlan 10,20,30
switchport mode trunk
ip access-list extended gateAccess
permit tcp any any established
permit ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255
deny ip 10.0.20.0 0.0.0.255 any
deny ip any 10.0.10.0 0.0.0.255
permit any any
3 pc's connected to the switch
the switch connected to the router
do i see this correct that a pc on
vlan 10
can ping : pcs on vlan 20, 30
vlan 20
can ping : pcs on vlan 30
vlan 30
can ping : pcs on vlan 20, 30
AND
a pc on vlan 10 setting its gateway to 10.0.10.2 and ip 10.0.10.10 has no restrictions at all
other pc trying to set 10.0.x.2 as gateway wont work and cant circumvent this some how
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide