Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
5
Replies

Access List/ Routing Question

BVarwig
Level 1
Level 1

‎01-13-2025 08:31 PM

Host A IP 192.23.21.5 255.255.255.0 gateway 192.23.21.254 VLAN 21

NVR IP 192.23.13.11 255.255.255.0 gateway 192.23.13.254 VLAN 13

Video storage 192.23.200.20 255.255.255.0 gateway 192.23.200.254 VLAN 200

All 3 devices connect directly into C9300 multilayer switch. Host A needs to be able to communicate with both the NVR and the Video storage devices on separate VLANs.

I have VLANs 21, 13, 200 built onto the switch. Each end device is configured with an access port with their associated vlan on the switch.

Don't even know where to begin.

Labels:
0 Helpful
5 Replies 5

Devaa
Spotlight
Spotlight

‎01-13-2025 09:38 PM

Based on your statement above, I have used single ACL to be called in both NVR and Storage VLAN, considering that will have to be secured. If you any other requirements, ACLs have to be modified accordingly. 

vlan 21,13,200
exit

ip routing

int G1/0/1
 description HOST-A
 switchport mode access
 switchport access vlan 21

int G1/0/2
 description NVR
  switchport mode access
 switchport access vlan 13

int G1/0/3
 description VIDEO-STORAGE
  switchport mode access
 switchport access vlan 200

int vlan 13
 ip add 192.23.13.254 255.255.255.0
 no shut

int vlan 21
 ip add 192.23.21.254 255.255.255.0
 no shut

int vlan 200
 ip add 192.23.200.254 255.255.255.0
 no shut

 

Before configuring ACLs, make sure Inter-VLAN routing is working as expected after configuring the VLAN interfaces by pinging NVR and Storage server from HOST-A. 

! From HOST-A: 
ping 192.23.13.11
ping 192.23.200.20

 

Configure ACLs: 

ip access-list extended ACL
 permit ip host 192.23.21.5 host 192.23.200.20
 permit ip host 192.23.21.5 host 192.23.13.11
 ! below lines can be ignored if not required
 deny ip any host 192.23.200.20
 deny ip any host 192.23.13.11
 permit ip any any


int vlan 21
 ip access-group ACL out

int vlan 200
 ip access-group ACL out

 

0 Helpful

BVarwig
Level 1
Level 1
In response to Devaa

‎01-13-2025 10:24 PM

Seems like I'm having an error in the Inter VLAN routing portion. Here is my PT mockup.

IntervlanPractice.zip
0 Helpful

M02@rt37
VIP
VIP
In response to BVarwig

‎01-13-2025 10:53 PM

Hello @BVarwig 

Do you have configured the ip routing command ?

Check that port where endpoints are connected are up/up, SVI too.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Devaa
Spotlight
Spotlight

‎01-13-2025 11:44 PM

@BVarwig Inter VLAN routing works after below changes in your setup. Find attached file with fixed intervlan routing config

In Server: Configure IP part of VLAN 200 subnet

In Switch: Make the server port G1/0/1 part of VLAN 200

IntervlanPractice-2.zip
0 Helpful

M02@rt37
VIP
VIP

‎01-14-2025 12:49 AM

@BVarwig 

AS I said,

SVIO 200 is up/down, so you cannot ping this Gw hosted on C9300

M02rt37_0-1736844457785.png

 

You need an endpoint in that vlan and configure its port in mode access vlan 200.

Also, as a best practice, configure a TRUNK link between C9300 and the NVR1 switch.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents