Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
4
Replies

Problem With VLAN Communication

reagentom
Level 1
Level 1

‎04-11-2005 04:07 AM - edited ‎03-02-2019 10:25 PM

Dear All;

I have Switch Cisco 4006 with Routing blade (4232-L3 blade); Witch configured for 3 VLANs, vlan 2 and 3 is picking ip address from DHCP server connected to VLAN3 I had creat one more VLAN (vlan4) and configured this vlan to pick ip address from same DHCP server by the followin command

1- Set Vlan 4 Port Number

2) On 4232-L3 blade

router(config)#interface GigabitEthernet3.4

router(config-subif)#encapsulation dot1Q 4

router(config-subif)#ip address <172.16.4.1>

router(config-subif)#ip helper-address 172.16.3.6

computer connected to this vlan picking IP from this DHCP server without any problem but the problem is this VLAN can communicate with both other vlans..

Please Help

Labels:
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎04-11-2005 04:54 AM

The normal behaviour is that all vlans are routed without any restriction. If you want to limit inter-vlan traffic, you should set up an access-list to limit this traffic.

In its simplest form this could be something like:

Building the filter:

access-list 101 permit ip 172.16.4.0 0.0.0.255 host 172.16.3.6

activating it on the ingress interface:

int gi3.4

ip access-group 101 in

This allows ip connectivity only to the dhcp server but over all ip protocols & ports. Should be sufficient to start with, I suppose be able to fine-tune the solution yourself.

Regards,

Leo

0 Helpful

reagentom
Level 1
Level 1
In response to lgijssel

‎04-11-2005 06:41 AM

Dear Leo

Thanks for reply, but I don't have any access list applied in my router before and both vlans 2 and 3 was not communicated but only after I have creat the vlan 4 it's communicate with others

I can't creat access list so I just need to modify the current configuration by adding one more vlan but with the same configuration for vlan 2

attached is my network diagram and show run config for switch and routing blade and pix please take a look and advice how both vlans 2,3 are not communicated and how I can make vlan 4 like vlan 2 not communicate with vlan 3 ,

buut also Please I want to have communication between vlan 2 and 4..

Thanks and best regards

Preview file
34 KB
0 Helpful

reagentom
Level 1
Level 1
In response to reagentom

‎04-11-2005 06:43 AM

show pix configuration

Preview file
4 KB
0 Helpful

lgijssel
Level 9
Level 9
In response to reagentom

‎04-11-2005 11:29 PM

First of all, looking at your router, it becomes clear that you do have ip connectivity between all vlans. You may not know it, but still there is a connection via the router's vlan interfaces gi3.1-4.

You have probably set the gw for clients to the isa server and this explains that there seems to be no connection. I suppose that Internet traffic is required and provided via the ISA servers. (?)

The easiest solution is to take measures to isolate vlan3. From this vlan, you only want to allow the dhcp server to forward packets to the other vlans.

This requires an access-list almost like I suggested:

access-list 103 permit ip host 172.16.3.6 172.16.0.0 0.0.255.255

int gi3.3

ip access-group 103 in

As Internet traffic is handled by the ISA servers, you do not need to enter anything else.

To establish communication between vlan 2 and 4, you should enter static routes in the isa server, I am not an expert at that.

Hope this helps you out. Do not hesitate to ask additional questions.

Regards,

Leo

0 Helpful
Customers Also Viewed These Support Documents