11-10-2004 08:29 AM - edited 03-02-2019 07:51 PM
I have this configuration :
- Servers and Gateways are on VLAN 1
- PCs are on other different VLANs (1 for each Department)
I want all VLANs to have full access to VLAN 1 (mainly because of servers to be accessed by all the PCs) but I would like that PC's separate VLANs to not communicate.
Inter-VLAN routing is configured but IPX traffic, broadcasts and Laye-2 protocols to VLAN 1 are not routed.
How to do that?
PS : I use 02 Catalyst 3550-12G in HSRP as Backbone for Inter-VLAN Routing and Catalyst 3500, 2950 for distribution switches.
Regards.
11-10-2004 01:08 PM
The simplest way to accomplish this would be to use access control lists on the PC subnets that restrict access to other PC subnets.
For example, if your server subnet is 192.168.1.0/24 (VLAN 1) and your workstation subnets are 192.168.2.0/24 (VLAN2) and 192.168.3.0/24 (VLAN3), you could use the configuration below:
Interface VLAN2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
Interface VLAN3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
Don't forget that there is an implicit deny ip any any at the end off the ACL so if Internet access is required you will have to change the ACL's to deny access to all other PC VLAN's and then permit any as the last entry.
The ACL's as set above will allow the PC subnets to communicate to the server subnet, but not to the other PC subnet. The second entry in each of the ACL's allows HSRP to communicate between the two layer 3 interfaces of each Cat3550. With no ACL on the server subnet, the servers are allowed to communicate to all the PC subnets.
IPX communication can be restricted in the same manner by using ACL's that list IPX network addresses. This ACL would look something like below where AAAAAAAA is a PC VLAN and BBBBBBBB would be a server VLAN.
access-list 800 permit AAAAAAAA BBBBBBBB
I'm not sure if you would need the IPX ACL though since the server VLAN does not have IPX enabled on it. If this is the case, is there a need for IPX on the PC vlans? If not, you can restrict access over this protocol by removing IPX from the vlan interface.
11-11-2004 03:17 AM
Hello sstudsdahl,
Thanks for your help. But in Catalyst 3550 switches you cannot activate IPX routing, so Novell traffic to VLAN Server is blocked. Also, Other Windows broadcasts traffic like Netbios are also blocked. For the others servers I dont know the type of traffic. So, I think that the best solution is to allow full layer-2 traffic between PCs VLAN to Servers VLAN. As we are doing Inter-Vlan Layer-3 Routing, broadcasts between PCS VLANs will be automatically blocked.
My problem is i don't know how to force full laye-2 traffic between 2 VLANs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide