cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
0
Helpful
3
Replies

Layer 2 switch VLAN Security

kjanakiraman
Level 1
Level 1

Can i create 3 VLAN in a layer 2 switch namely VLAN1,VLAN2,VLAN3 and configure in such a way that VLAN1 can communicate with all the other VLAN and other systems that are connected through a non-manageble switch and hubs and no other system in the network should communicate or connect to systems in VALN1 unlease specifically authenticated? If it can be done , can someone suggest how to configure for the same and documents related to this?

Thanks in Advance

3 Replies 3

mparekh
Level 3
Level 3

For VLAN 1 to communicate with other VLANs you will need a Layer 3 device (router). The scenario you are trying to accomplish will not work with a Layer 2 switch.

If my VLAN1 is in ip range 10.1.1.0/24 and VLAN2 is in ip range 10.2.2.0/24 and VLAN3 in the range 10.3.3.0/24 and do a vtp trunking and it points towards the ethernet interface of the router which has primary ip in 10.1.1.0/24 and two secondary ip 10.2.2.0/24 and 10.3.3.0/24, will this make the 3 vlan to communicate with each other through the ethernet interface of the router. Will this work? If it works can i implement security on the layer 2 switch of securing the vlan1 for other vlans.

Thanks in Advance

For Layer 3 routing between VLANS you need to specify a VTP domain. At least 1 of your switches must be a VTP server any others can be clients unless they don't actually participate in the VLAN infrastructure then you can set them as transparent e.g.

server mode....

set vtp domain PINDAR

set vtp mode server

set vlan 2 6/3-8

set vlan 2 6/10

set vlan 2 6/13

set vlan 2 6/17

set vlan 2 name Cust_Svcs

set trunk 1/1 1-1000

set trunk 1/2 1-1000

set vtp pruning enable

set vtp pruneeligible 2-1000

client mode....

vlan database

vtp client

vtp domain PINDAR

vlan 2 name Cust_Svcs

exit

int f0/1

switchport mode access

switchport access vlan 2

int f0/2

switchport mode access

switchport access vlan 2 ...

...

..

...

int f0/24

switchport mode access

switchport access vlan 2

int g0/1

switchport trunk encap isl

switchport mode trunk

int g0/2

switchport trunk encap isl

switchport mode trunk

Not sure that you can do the secondary address set-up on the router's Ethernet interface. You may need to set them as sub-interfaces and set the encapsulation to whichever trunking mode you are using e.g

interface FastEthernet3/0

no ip address

duplex auto

speed auto

!

interface FastEthernet3/0.1

encapsulation isl 2

ip address 193.xxx.17.133 255.255.255.0

no ip redirects

!

interface FastEthernet3/0.2

encapsulation isl 3

ip address 193.xxx.15.108 255.255.255.0

no ip redirects

VLAN1 is by default the native VLAN. All ports will be on this VLAN until you assign them to another VLAN.

I was using 3640 routers, a Cat 4000 and Cat 2900 switches. Try that and see if it works for you.

Regards.

Steve.