Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5254
Views
29
Helpful
5
Replies

InterVLAN routing for SG500-28

reginachh
Level 1
Level 1

‎12-05-2012 01:46 AM

Hi,

I would like to communicate between VLAN, with some access control. I will like gi1/1/2 to be able to communicate with gi1/1/14 but not gi1/1/13.

Some background information:

VLAN 200

gi1/1/1 -> computer

gi1/1/2-> NTP

VLAN 300

gi1/1/13 -> computer

gi1/1/14 -> computer

I had tried trunk/gvrp/acl/ip route but come to no valid.

Any suggestions to get this working?

Thanks.

Gina

Labels:
0 Helpful
5 Replies 5

jonatrod
Level 7
Level 7

‎12-05-2012 07:29 AM

Good morning

Thanks for using our forum

Hi Regina  my name is Johnnatan and I am part of the Small business Support community.

Let me see if I understand what you want to do,

you want comunication betwen ports gi1/1/2 and gi1/1/14, and isolate gi1/1/13, if you want to do this your vlan configuration have to look like this, (this is an example):

Ports:

gi1/1/1->     vlan 200= untagged

gi1/1/2->     vlan 200= untagged

gi1/1/14 ->  vlan 200= untagged

gi1/1/13 ->  vlan 300= untagged

I´ll share with you some documents about how to configure it.Also your switch has to be in Layer 2 mode

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=4&app=search&vw=1&articleid=2629

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.

Greetings,

Johnnatan Rodriguez Miranda.

Cisco network support engineer.

Cisco has a very useful tool called GuideMe, is made for small business products, and your device is in this category, you can use this address for accessing the tool:  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?alt1=&pid=4&eroute=Super , is very easy to use, just complete the 3  spaces on this way:

Select a category: (Select the device type on request), e.g. Routers

Enter model: (Type the model on request), e.g. RV042

Question: (Type what  you want to know  about the device), e.g. VPN

And it'll be showing all the information you need about what you wrote.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

Tom Watts
VIP Alumni
VIP Alumni

‎12-05-2012 09:42 AM

Hi Regina, in order to have intervlan communication, the switch must have a SVI (ip address on the vlan interface). The switch must be in layer 3 mode to have a SVI. If the switch is in layer 2 mode, the router handles the intervlan request as vlans can't communicate to one another without a layer 3 device.

To limit traffic, the switch supports ingress ACL only. In a layer 2 environment, applying an ACL to the port which connects to the router would be enough to filter traffic between vlans. In layer 3, you would have to apply an ACL on the ingress port of the requestor. Keep in mind, an ACL has an explicit deny-all (invisible) at the end of every ACL so you must have a permit any any statement.

The important question is this- What does your network look like? Do you have only the switch? Or, do you have an entire network with a gateway router and what is the capability of the router?

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

reginachh
Level 1
Level 1
In response to Tom Watts

‎12-05-2012 05:36 PM

  • Hi Tom,

Thank you for your response.

I had configured the device(SG500) to be in layer 3, router mode. Please correct me if i am wrong, i thought the device is a switch + router. I have the SG500 connected directly to my NTP(gi1/1/2) and the computers(gi1/1/1 and gi1/1/14 and gi 1/1/13). I do not have any additional router besides the SG500.

vlan 200 - ip 192.168.88.1 255.255.255.0

gi1/1/1 -> computer - 192.168.88.3

gi1/1/2-> NTP - 192.168.88.141

vlan 500 - ip 192.168.89.1. 255.255.255.0

gi1/1/13 -> computer - 192.168.89.2

gi1/1/14 -> computer - 192.168.89.3

I was able to allow communication between the vlans when i enable 'ip routing'. However, this will allow all the devices on the different vlans to communicate, and not with access control. I tried disabling ip routing and applying acl on the gi1/1/14 (requestor) but was still unable to ping.

I had tried ip route, acl, gvrp, trunk. but still didnt quite work.

will u mind providing me with the CL. just in case i got mine wrong in anyways.

Thanks

-Gina

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to reginachh

‎12-05-2012 06:47 PM

Hi Regina, you need to have the ip route enabled for intervlan communication. In addition with the ip route toggled, you must apply an access list to the interface.

As an example:

gi1/1/1 is 192.168.88.3

gi1/1/2 is 192.168.88.141

gi1/1/13 192.168.89.2  <- This address lets say needs access to 192.168.88.141 but no other access to 192.168.88.0 network

For this scenario, you would need to create an access list . The access list would look something like this

ip access-list extended test

permit ip 192.168.89.2 0.0.0.0 192.168.88.141 0.0.0.0

deny ip 192.168.89.0 0.0.0.255 192.168.88.0 0.0.0.255

permit ip any any

interface gigabitethernet1/1/13

service-acl input test

This switch uses ingress access list only, meaning that it will only filter or block traffic inbound to the port. With this access list, your 192.168.89.2 will access thr 192.168.88.141 but any other request in to the 192.168.88.0 network should be dropped.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

reginachh
Level 1
Level 1
In response to Tom Watts

‎12-06-2012 06:33 PM

Thanks tom. i managed to get it working

0 Helpful
Customers Also Viewed These Support Documents