How to allow access from one vlan to another

Netsnaper · ‎08-17-2022

Hi all

I have a particular request from a customer. Currently, there is a CISCO Switch 2960 configured with 3 vlans( 10,20,30) on the vlans 10 & 20 will be the computers, printers etc. for the users, and on vlan 30 will be the servers(DHCP, DNS,FTP etc). I need to be able to access the servers on vlan 30 from the pcs from the other vlans(10,20).

I have used for example:

interface FastEthernet0/1

switchport access vlan 10

switchport trunk allowed vlan 10,30

switchport mode access

But the pc's are unable to reach the servers. Any ideas?

MHM Cisco World · ‎08-17-2022

run command
ip routing

Netsnaper · ‎08-17-2022

if I use ip routing, all pcs will have access between each other ? That will in my opinion kill the purpose of the vlan, right? What I am looking for is to separate pcs from each department in vlans so they do not have access between departments, bu t be able to share internet, file shares &dhcp.

With IP routing I can accomplish that? Or I will need to use another type of equipment. Thanks for you replay

paul driver · ‎08-20-2022

Hello
You need ip routing for intervlan communication then if you wish to negate access between particular vlan this can be accomplished with appending Router Access Control Lists (RACLs) on the L3 interfaces of those vlans.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Netsnaper · ‎08-17-2022

Netsnaper · ‎08-18-2022

@MHM Cisco World

If ip routing is implemented, all pcs from the VLANs on the switch will be able to interact with each other. That way VLAN will not be necessary. The plan is to separate the pcs from departments but share the internet and server access.

Thanks for the replay

MHM Cisco World · ‎08-18-2022

You need Inter-VLAN
Inter-VLAN done in this SW or in Router connect to this SW,

Georg Pauwen · ‎08-18-2022

Hello,

as mentioned, you need some sort of layer 3 device (which must be there, otherwise you will not be able to access the Internet, as the 2960 by itself cannot terminate an Internet connection). What is the 2960 connected to ? Can you post the config of that device ?

Joseph W. Doherty · ‎08-19-2022

To clarify, on a "pure" L2 switch, you cannot exchange traffic between ANY VLANs (assuming your not cross connecting them).

Some L2 switches (including 2960 models, I believe) may support a private-VLAN feature. Using just a single VLAN, most hosts cannot directly intercommunicate, except those configured to be accessed by other hosts (used for server hosts).

If your VLANs are their own individual networks, you can exchange data between them by routing. I recall (?) some models of 2960s support very basic routing features. If yours does, you would configure virtual interfaces on each VLAN, configure your hosts to use its VLAN switch interface as its gateway, and enable routing. That should allow all your VLAN to freely exchange data.

To further restrict what kind of traffic can flow where, you would add ACLs to your VLAN interfaces.

BTW, it's also possible to route between VLANs using an external L3 switch or router, which I wonder about, because, again, w/o routing, your VLANs should be unable to exchange ANY data, and also because you have a trunk configured (often used for a one armed routed connection to L3 switch or router).

Netsnaper · ‎08-19-2022

Thanks

I will then use a 2921 router, and enable inter-Vlan to be able to intercommunicate the VLANs with the servers.

Joseph W. Doherty · ‎08-19-2022

A 2921 should work fine for both routing between your VLANs, and controlling what traffic you permit between VLANs.

On the switch, configure one port as a trunk, allowing all VLANs. That will connect to a router port.

On the router, you'll need to define subinterfaces for each VLAN.

The only issue with a 2921, on a LAN, it can easily become a bottleneck if you connect to it with gig interfaces.

sadavir.sampath · ‎08-19-2022

Hi Netsnaper,
I'm use to work on similar networks.
Vlan 10 and 20 can be called "Developpement-Stations" and "Printers" network,
and VLAN 30 as "Servers" network.
The more simple config is
- Consider VLAN 10 and VLAN 20 as "inside" interfaces
- Consider VLAN 30 as "outside" interface
- Configure NAT from both "inside" interfaces before going of the "outside"
- If the printers have to be accessible from the servers, you can configure static hosts translations (ex. 192.168.2.100 from inside interface translate to 192.168.5.100 from outside)
With this config, if you want, you will be able to use ACL to control exchanges between the 3 VLANs
Hope that will help you.

Netsnaper · ‎08-19-2022

@sadavir.sampath

When you say inside and outside, do you refer to the hosts ips as inside and the VLAN interface ip as outside?

aalirezaa · ‎08-19-2022

hi. with vlan you can separate every department and if you can communicate between vlans you should use a layer 3 device like router or layer 3 switch.after that you can use with VACL that control traffic between vlans.for instance vlan 10 can communicate with vlan 30 but vlan 10 cant communicate vlan 20.

Netsnaper · ‎08-19-2022

Thanks

Will try using a 2921 router and enable inter-Vlan to be able to intercommunicate the hosts with the servers.