10-26-2011 09:33 AM - edited 03-07-2019 03:04 AM
Well I hate posting dumb questions, but I always get good help from here so here I go again. I have a series of 3560's (one of which is the "main" switch that handles VTP) that are fibered together to run a development and test network here at my organization. I have 8 vlans setup on them each of which with a coordinating 192.168.x.x ip address (IE vlan 1 is 192.168.1.x, vlan 2 is 192.168.2.x etc...). All of my servers are on vlan 1 and have static addresses. I need vlan 1 to be able to communicate with anyone on the network regardless of their vlan. Currently the main switch is doing layer three routing so every vlan can see every other vlan. I need to be able to break them off into the following break down: vlan 1 sees all and all can see vlan 1, vlan 2-4 can talk to each other and vlan 1, then everything else can only communicate with itself and vlan 1. I dont know if i have the equipment to support this just using the 3560's or not, but i cant seem to find a place to start trying to figure it out. If someone could point me the right direction i certainly dont mind digging for more info, i just cant find a starting point.
Solved! Go to Solution.
10-26-2011 09:45 AM
Rory
vlan 2 acl
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
int vlan 2
ip access-group 102 in
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
int vlan 3
ip access-group 103 in
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
int vlan 4
ip access-group 104 in
then for the other vlans simply use an new acl per vlan with just the one line as below and applto the relevant vlan interface
access-list 105 permit ip 192.168.
Jon
10-26-2011 09:45 AM
Rory
vlan 2 acl
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
int vlan 2
ip access-group 102 in
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
int vlan 3
ip access-group 103 in
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
int vlan 4
ip access-group 104 in
then for the other vlans simply use an new acl per vlan with just the one line as below and applto the relevant vlan interface
access-list 105 permit ip 192.168.
Jon
10-26-2011 10:06 AM
Jon, and I just apply this at the VTP server switch correct? Or do i need to make the lists on each sub switch as well?
10-26-2011 10:17 AM
Rory
You apply to the L3 vlan interfaces for each vlan so whichever switch that is ie. it should be only the switch that is responsible for routing between the vlans. It is nothing to do with VTP.
Reading your post again it looks like it is the "main" switch that is doing the inter-vlan routing so apply them there.
Jon
10-26-2011 10:21 AM
You are correct, my "main" swtich does all the layer 3 switching. I will get them applied, and thank you so much for answering this for me. I am sure this seems trivial but i have been banging my head on the wall all morning.
10-26-2011 10:56 AM
Well Jon i tried that and that seemed to break network connectivity between vlans. My DHCP server is on the .1 vlan and i was testing with computers on the .3 vlan. When i applied the access-list that you gave me i was no longer able to get DHCP addresses. I copied a snippet of the sh run for you hopefully that will help to identify my error. You'll notice some of the vlan numbers are a little different than what my original post was, i just used that for ease of explanation.
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
ip helper-address 192.168.1.8
ip helper-address 192.168.1.78
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip helper-address 192.168.1.8
ip helper-address 192.168.1.78
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.8
ip helper-address 192.168.1.78
!
interface Vlan6
ip address 192.168.1.254 255.255.255.0
!
interface Vlan7
ip address 192.168.7.1 255.255.255.0
ip helper-address 192.168.1.8
ip helper-address 192.168.1.78
!
interface Vlan8
ip address 192.168.8.1 255.255.255.0
ip helper-address 192.168.1.8
ip helper-address 192.168.1.78
!
interface Vlan9
ip address 192.168.6.1 255.255.255.0
ip helper-address 192.168.1.8
!
interface Vlan20
no ip address
!
!
router eigrp 563
redistribute static
no eigrp log-neighbor-changes
!
ip default-gateway 192.168.1.254
ip http server
no ip http secure-server
!
!
!
logging esm config
access-list 1 permit 192.168.1.8
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
line con 0
logging synchronous
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
end
10-26-2011 03:13 PM
Hi Rory,
I believe the problem is that your access-lists come into affect only after the devices have got an ip address. However , for DHCP server to give out addresses, it needs to get the bootps from the machines which is currently getting dropped because the current acl doesnt allow it.
please add this to your acl and then it should all work. Let me know how you go
access-list 103 permit udp any host 255.255.255.255 eq bootps
access-list 103 permit udp any 192.168.1.0 0.0.0.255 eq bootps
HTH
Regards,
Kishore
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide