Solved: SG500 Layer 3 - VLANs can see each others devices Vlan9 <--> Vlan13

bl-dubai-uae · ‎04-19-2014

Hi all!

I guess I am missing something simple here:

Basic setup: Two SG500 stacked switches in layer 3 mode which should do the routing. Lancom WLC with Internet access IPOE attached as trunk.

As for my understanding I should not be able to see Vlan13 devices from Vlan9. But unfortunately I do.

Any help is highly appreciated. THANKS!!!

config-file-header
switch0908fa
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router queues-mode 4

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 9-46,91-99
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server
ip dhcp pool network P_1
address low 192.168.0.10 high 192.168.0.254 255.255.255.0
lease infinite
dns-server 94.200.200.200
exit
ip dhcp pool network P_9
address low 192.168.9.10 high 192.168.9.254 255.255.255.0
lease infinite
dns-server 94.200.200.200
exit
ip dhcp pool network P_13
address low 192.168.13.20 high 192.168.13.254 255.255.255.0
lease infinite
dns-server 94.200.200.200
exit
no boot host auto-config
bonjour interface range vlan 1
hostname switch0908fa
no passwords complexity enable
username cisco password encrypted 7af78c911d5b48bea1dc2449d9d89513abeb4be5 privilege 15
ip name-server 192.168.0.5
ip domain polling-interval 18
no service cpu-utilization
!
interface vlan 1
ip address 192.168.0.1 255.255.255.0
no ip address dhcp
!
interface vlan 9
name V_9
ip address 192.168.9.1 255.255.255.0
!
interface vlan 10
name V_10
!
interface vlan 11
name V_11
!
interface vlan 12
name V_12
!
interface vlan 13
name V_13
ip address 192.168.13.1 255.255.255.0
!
interface vlan 14
name V_14
!
interface vlan 15
name V_15
!
interface vlan 16
name V_16
!
interface vlan 17
name V_17
!
interface vlan 18
name V_18
!
interface vlan 19
name V_19
!
interface vlan 20
name V_20
!
interface vlan 21
name V_21
!
interface vlan 22
name V_22
!
interface vlan 23
name V_23
!
interface vlan 24
name V_24
!
interface vlan 25
name V_25
!
interface vlan 26
name V_26
!
interface vlan 27
name V_27
!
interface vlan 28
name V_28
!
interface vlan 29
name V_29
!
interface vlan 30
name V_30
!
interface vlan 31
name V_31
!
interface vlan 32
name V_32
!
interface vlan 33
name V_33
!
interface vlan 34
name V_34
!
interface vlan 35
name V_35
!
interface vlan 36
name V_36
!
interface vlan 37
name V_37
!
interface vlan 38
name V_38
!
interface vlan 39
name V_39
!
interface vlan 40
name V_40
!
interface vlan 41
name V_41
ip address 192.168.41.1 255.255.255.0
!
interface vlan 42
name V_42
!
interface vlan 43
name V_43
!
interface vlan 44
name V_44
!
interface vlan 45
name V_45
!
interface vlan 46
name V_46
!
interface vlan 91
name V_91
!
interface vlan 92
name V_92
!
interface vlan 93
name V_93
!
interface vlan 94
name V_94
!
interface vlan 95
name V_95
!
interface vlan 96
name V_96
!
interface vlan 97
name V_97
!
interface vlan 98
name V_98
!
interface vlan 99
name V_99
!
interface gigabitethernet1/1/1
switchport mode access
!
interface gigabitethernet1/1/2
switchport mode access
!
interface gigabitethernet1/1/3
switchport mode access
!
interface gigabitethernet1/1/4
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/5
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/6
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/7
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/8
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/9
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/10
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/11
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/12
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/13
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/14
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/15
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/16
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/17
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/18
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/19
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/20
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/21
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/22
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/23
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/24
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/25
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/26
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/27
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/28
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/29
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/30
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/31
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/32
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/33
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/34
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/35
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/36
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/37
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/38
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/39
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/40
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/41
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/42
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/43
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/44
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/45
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/46
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/47
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/48
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/49
switchport mode access
!
interface gigabitethernet1/1/50
switchport mode access
!
interface gigabitethernet1/1/51
switchport mode access
switchport access vlan 9
!
interface gigabitethernet1/1/52
switchport mode access
switchport access vlan 9
!
interface gigabitethernet2/1/1
switchport mode access
!
interface gigabitethernet2/1/2
switchport mode access
switchport access vlan 13
!
interface gigabitethernet2/1/3
switchport mode access
switchport access vlan 13
!
interface gigabitethernet2/1/4
switchport mode access
switchport access vlan 13
!
interface gigabitethernet2/1/5
switchport mode access
switchport access vlan 13
!
interface gigabitethernet2/1/6
switchport mode access
switchport access vlan 13
!
interface gigabitethernet2/1/7
switchport mode access
switchport access vlan 13
!
interface gigabitethernet2/1/8
switchport mode access
!
interface gigabitethernet2/1/9
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/10
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/11
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/12
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/13
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/14
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/15
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/16
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/17
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/18
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/19
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/20
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/21
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/22
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/23
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/24
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/25
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/26
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/27
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/28
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/29
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/30
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/31
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/32
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/33
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/34
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/35
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/36
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/37
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/38
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/39
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/40
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/41
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/42
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/43
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/44
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/45
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/46
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/47
switchport mode access
switchport access vlan 41
!
interface gigabitethernet2/1/48
switchport mode access
!
interface gigabitethernet2/1/51
switchport mode access
!
interface gigabitethernet2/1/52
switchport mode access
!
exit
ip route 0.0.0.0 /0 192.168.0.5 metric 2
encrypted ip ssh-client key rsa key-pair
.

Tom Watts · ‎04-19-2014

The reason the VLAN intercommunicates is because you have an IP address on the VLAN interface which will dynamically build a route on the switch.

As indicated below, if you want VLAN 9 to not see 13 or vice versa and ACL would be required, on the VLAN interface.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

mohameddz · ‎04-19-2014

hi;

i thing that's normale because you'r using layer 3 switch wich it mean that you'r using router-on-a-stick, if you want no connection between your VLAN's you have to use ACLs

have a nice day ;)

Tom Watts · ‎04-19-2014

The reason the VLAN intercommunicates is because you have an IP address on the VLAN interface which will dynamically build a route on the switch.

As indicated below, if you want VLAN 9 to not see 13 or vice versa and ACL would be required, on the VLAN interface.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

bl-dubai-uae · ‎04-19-2014

Thanks for that quick answer! Is there a programming pattern for each VLAN? Finally I will need 50 VLANs being setup.

Network printer on VLAN 1, so that should be accessible from all Vlans!?

APs and WLC are connected on trunk ports.

Thanks again. Tom please see your email.

Tom Watts · ‎04-23-2014

Hi BL, the switch will locally route the VLAN so long as it has an IP address on the VLAN interface. Intervlan communication happens at the IP level. A VLAN in nature in capable of communicating to any other VLAN. The packet contains the VLAN id and only packets with the same VLAN ID are permitted in to this broadcast domain. When IP address (layer3) becomes involved, it is able to route the traffic based off the route table.

If you have a printer in VLAN 1 and require 50 VLAN to see this but you require the printer to be on a layer 2 VLAN the printer would need a routed interface (default gateway) where it send reply to the requests. Otherwise, only devices on the same subnet will communicate to this printer.

As for DHCP, this switch only supports 8 DHCP pools. If you require more, I'd recommend either use something like Windows Server or Unix Server to get the desired result if you do not wish to purchase different network equipment that can handle so many DHCP pools.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/