If all there networks are in 10.x.x.x

You add the the following two lines to your ACL

access-list 100 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 100 permit ip any any

Sent from Cisco Technical Support iPad App

Many thanks for the excellent replies.

To be hounest, I prefer it without ACL and I like the solution with SVI ibut I have over 250 hosts in the network, what about the following:

(config)#int vlan 1

(config-if)# ip addr 10.0.8.x  255.255.255.0

(config-if)# ip addr 10.0.11.x  255.255.255.0 secondary

Would this be ok?

Many thanks

Hi Madonamadona,

the answer is NO NO NO. Let's be clear. Few years ago i was hired from an ISP that had over 90 routers working in VLAN 1 exactly with this config:

core router(config)#int vlan 1

core router(config-if)#ip address 1.1.1.1 255.255.255.0

core router(config-if)#ip address 2.2.2.1 255.255.255.0 sec

core router(config-if)#.........................................................

core router(config-if)#ip address 90.90.90.1 255.255.255.0 sec

Now, it was working. Over 8000 users were getting Internet connection complaining sometimes about slow speeds but connecting. In a so flat network, the broadcast traffic grows exponentially and the problems in terms of sessions , traffic management, network management, troubleshooting and so many more factors , will make your life crazy. it is true that the config is really easy and no particular monitoring is required but it's just not a network. when i have completed to route all the ISP above mentioned, the users were getting up to 10 times the speed they could get in the flat configuration and all the monitoring tools started to make graphs that made sense.

Barnesp gave you the solution with his last post. Inter-vlan routing and eventually, should you need in the future, ACL or Policy based routing.

Hope convincing you

Alessio

PS: if you do not want to avoid this solution for technical reasons, do it to avoid to argue with your partner!! I still remember that my girlfriend wanted to kill me when i had to wake up at 4am and fixing some crazy loop in that infrastructure

Secondary addresses is really something you could use during transition, but it could cause a lot confusion in the future. To avoid adding a static route on all hosts, you could make the SVI be the default gateway and then add routes static or dynamic which would redirect traffic to the correct gateway. This show work by default assuming you haven't disabled ICMP redirects on the interfaces.

Sent from Cisco Technical Support iPad App

Many thanks for all your help, it's really excellent.

I believe, I am going to use the SVI option. Now my quistion is :

I've got allraedy both Vlans created (and other 113 Vlans):

10.0.8.3  255.255.255.0  and

10.0.11.3  255.255.255.0

What's the next stip? Because if I enter ip route it will route between all Vlans which I don't want to (I need to route only between both vlans above.

And, how can I  add static routes on the Pc's to point them at the SVI within each VLAN.

Many thanks

Hi Madonamadona,

if you do not want to route the other vlans just do not create any SVI for the layer 2 vlans or do not set any ip address below the SVI. If you instead want to locally route them just write :

ip access-list 101 permit ip 10.0.8.0 255.255.255.0 any

ip access-list 101 permit ip 10.0.11.3 255.255.255.0 any

ip access-list 101 deny any any

and on the uplink you will

interface type x/y

ip access-group 101 out

Hope this answers

Alessio

So I assume you have created the VLANs at L2 only?  In other words you have used a command like vlan x  where x is the VLAN number. SVIs are created using the int vlan x command - I assume you are going to to this twice - for VLAN 1 and 2.  In this case when you enable ip routing you will only route traffic between these connected interfaces i.e. where there is an SVI.

I'm assuming that these VLANs have a default gateway - if so add the following command route -p add 10.0.11.0 mask 255.255.255.0 10.0.8.3 for the first VLAN and route -p add 10.0.8.0 mask 255.255.255.0 10.0.11.3 for the second.  Note this is for Microsoft clients only.

Hi all,

Many thanks for your help, I am going to give it a try today (creating SVI). My last question is:

Do I have to create both vlans on each switch (I've 20 cabinets with 2 cisco switches in each / 2950 and 3500), or should I create them in the core swiches (ws-c3750G -12S) ?

Many thanks

From a L2 perspective the VLAN needs to created on each switch - this may be handled by VTP if it is enabled.

You would create the SVIs on the device that is capable of the L3 switching in this case the 3750.  You will find that the 2950 can't do L3 switching and 3500 series may or may no support it depending on the model.

Don't forget to rate helpful posts!

Message was edited by: PATRICK BARNES