Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
4
Replies

Routing Traffic

nasr.khan
Level 1
Level 1

‎03-07-2010 01:26 AM - edited ‎03-04-2019 07:44 AM

Hi

I am not able to make this work. All traffic from VLAN 75 should be routed to Internet via AP#5
Vlan 75 should not communicate with other vlans on the network. Vlan75 should be propogated on all connected user switch to define vlan on wired port. users on Vlan 75 should get IP from AP#5.


AP#5 is connected to 4506 on port fa 0/10

##Configuration on 4506

Vlan 10
interface vlan 10
ip address 192.168.1.0 255.255.255.0

vlan 11
interface vlan 11
ip address 192.168.2.0 255.255.255.0

vlan 12
interface vlan 12
ip address 10.10.10.1 255.255.254.0

vlan 13
interface vlan 13
ip address 10.10.20.1 255.255.254.0

define L2 vlan 75
Vlan 75
description Vlan75

interface fa 0/10
switchport mode access
switchport access vlan 75


router ospf 5
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 10.10.10.0 0.0.1.255
network 10.10.20.0 0.0.1.255



## configuration on 2960

interface fa 0/1
switchport mode access
switchport access vlan 75

interface fa 0/2
switchport mode access
switchport access vlan 75

interface giga 1/0
switchport mode trunk
switchport trunk encapsulation dot1q

When I created L3 for Vlan75 ; it can communicate with other vlans which I dont want.

Any help


Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-07-2010 02:00 AM

Hello  Nasr,

>> When I created L3 for Vlan75 ; it can  communicate with other vlans which I dont want.

if you don't want devices in broadcast domain vlan 75 to communicate with other vlans you simply don't need to configure the L3 object SVI Vlan75.

if you want on the switch to have an ip address to test if that AP#5 is working, you can take advantage of VRF lite concept:

ip vrf  Guest

rd 100:110

route-target both 100:110

!

interface vlan 75

ip vrf forwarding Guest

ip address dhcp

no shut

you can then check IP connectivity using

ping vrf Guest  destination address

the VRF provides total isolation from other SVI interfaces that are part of the Global routing table.

Hope to help

Giuseppe

0 Helpful

nasr.khan
Level 1
Level 1
In response to Giuseppe Larosa

‎03-07-2010 04:50 AM

IP reachability is working, thank you sir.

it is must to use VRF.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to nasr.khan

‎03-07-2010 06:32 AM

Hello Nasr,

>> it is must to use VRF.

it can be done also with IP ACLs applied in the SVI, but the VRF is a more elegant solution and ensures isolation over time.

if using an ACL and this is modified by mistake communication with other vlans can be permitted.

if you use VRF to allow communication with global routing table a specific configuration is needed for this reason using a VRF is safer.

Hope to help

Giuseppe

0 Helpful

nasr.khan
Level 1
Level 1
In response to Giuseppe Larosa

‎03-07-2010 10:48 PM

Thanks I will start with VRF

For ACL is this only needed, i tested in lab but doesnt work.

interface Vlan75
description W_VLAN
ip address 192.168.212.1 255.255.255.248
ip nat inside
ip virtual-reassembly

ip access-list extended W-ACL
deny ip any 192.168.1.0 0.0.0.255
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255

deny ip any 10.10.10.0 0.0.0.255

deny ip any 10.10.20.0 0.0.0.255
permit ip any any

interface vlan30
ip access-group W-ACL in

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card