Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
0
Helpful
3
Replies

L3 switch should not route one VLAN

dagobert666
Level 1
Level 1

‎10-27-2019 05:48 AM

Hello World,

maybe someone can help me with my problem:
 
we have a central sg350x that should route through 3 of 4 vlans
50 (switch) management
60 main lan
70 department 1
80 department 2
The switch should route through 60, 70 and 80 but not to 50. Because Vlan 50 is for management, the switch must also have an ip in it. So it's locally connected and than it's routeable.
It seems there is no way to deactivate this route. Isn't it?

If no, the idee is to use a acl. But the admins should have access through a security router from main-vlan to management-vlan. So the acl can't deny the main subnet.
 
how would you do that?
 
many thanks
Labels:
0 Helpful
3 Replies 3

luis_cordova
VIP Alumni
VIP Alumni

‎10-27-2019 07:37 AM

Hi @dagobert666 

 

You can configure an ACL that allows only specific IPs or a specific range.
That ACL can be applied on the VTY lines, so only allowed users can access.

 

Regards

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to luis_cordova

‎10-28-2019 05:19 PM

The original poster is correct that there is not a way to route for 3 of the vlans but not route for the fourth vlan. There are several alternatives to consider. If they are interested in controlling access to the switch for telnet or SSH it could be achieved by using access-class applied to the vty lines to specify an ACL which would  restrict what IP addresses or subnets are permitted to access the switch. If other types of access are involved (perhaps SNMP or ping or something else) then an access list applied to all the interfaces could permit the appropriate addresses/subnets to access switch IP addresses, deny any other access to switch IP addresses, and permit other traffic.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎10-28-2019 11:36 PM

Hi,

There is no direct way to exclude this Mgnt interface from the routing in the SG series switches but you can use the Access list for preventing allow HTTP/HTTPS/SSH/Telnet/SNMP access from any other VLAN. As you can apply access-list under the VTY, HTTP server, etc.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents