07-14-2010 08:44 AM - edited 03-06-2019 12:01 PM
We are not sure what is going on here. Ultimately I may have to post the config for you to give me an answer. We have a Cisco 4948 and are able to communicate between two networks/two VLANS (172.17.x.x and 192.168.x.x) on our 4948. We do not have inter-VLAN rounting enabled. Is there something simple I should check within the config that would cause this?
Thanks,
Charlie.
Solved! Go to Solution.
07-14-2010 02:57 PM
Hello,
Sorry, I was not clear in my earlier post. As soon as you enable routing on the switch (not considering the routing protocol), the switch will include and route between all the subnets it is directly connected to. So, irrespective of whether you have the subnet under EIGRP or not, the routing will still happen (this routing is happening locally). So, only way to control them is to either disable IP routing (no ip routing) or configure access-lists. If you disable routing, I am affraid some of your other services might suffer (you will not be able to send traffic out to internet from these vlans). So, the best solution is to use an access-list on the interface and block the communication.
Hope this helps.
Regards,
NT
07-14-2010 08:48 AM
Hello,
Do you have any other layer 3 device in the network? What are the default gateways of these two subnets? You might want to check the default gateway device to see if it is doing the routing. If the default gateway is 4948 itself, then issue a "show ip route" to see if the routing is enabled.
Hope this helps.
Regards,
NT
07-14-2010 10:21 AM
NT,
Below is the core config of our 4948. I omitted the header config, footer config and the Interface Configs in the interest of time. What is happening is our workstations are on the 172.x.x.x network and they are able to view a web management interface from devices on our 192.168.41.0 VLAN network. We don't want this to happen. I see in the IP DHCP POOL config that the dns server is the same could this be providing the 172 vlan access to the 192.168.41.x vlan?
Thank you,
Charlie
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
!
cef table consistency-check IPv4 error-message
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
no ip domain-lookup
ip dhcp excluded-address 172.17.20.0 172.17.20.199
ip dhcp excluded-address 172.17.20.251 172.17.20.255
ip dhcp excluded-address 192.168.41.0 192.168.41.199
ip dhcp excluded-address 192.168.41.251 192.168.41.255
!
ip dhcp pool ALPHA_NETWORK
network 172.17.20.0 255.255.255.0
default-router 172.17.20.46
dns-server 172.17.20.43
!
ip dhcp pool BRAVO_NETWORK
network 192.168.41.0 255.255.255.0
default-router 192.168.41.254
dns-server 172.17.20.43
!
!
no ip bootp server
ip vrf mgmtVrf
!
ip multicast-routing
tp domain ddte
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name DATA_VLAN
!
vlan 20
name MGMT_VLAN
!
vlan 100
name EXT_VLAN
!
ip tcp synwait-time 10
ip telnet hidden addresses
!
!
interface Loopback0
ip address 10.0.0.121 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!INTERFACE CONFIG REMOVED!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description ALPHA_VLAN
ip address 172.17.20.46 255.255.255.0
ip pim sparse-dense-mode
no ip unreachables
no ip proxy-arp
no shutdown
!
interface Vlan20
description BRAVO_VLAN
ip address 192.168.41.254 255.255.255.0
ip pim sparse-dense-mode
no ip unreachables
no ip proxy-arp
no shutdown
!
interface Vlan100
description DELTA_VLAN
ip address 192.168.50.254 255.255.255.0
no ip unreachables
no ip proxy-arp
no shutdown
!
!
router eigrp 101
no auto-summary
network 10.x.x.x
network 172.17.x.x
network 192.168.x.x
network 192.168.x.x
!
ip local policy route-map NO_TRACEROUTE
no ip http server
no ip http secure-server
!
ip pim send-rp-announce Loopback0 scope 3
ip pim send-rp-discovery Loopback0 scope 3
!
ip access-list extended NO_TRACEROUTE
permit icmp any any time-exceeded
permit icmp any any port-unreachable
!
no cdp advertise-v2
no cdp run
!
!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
07-14-2010 10:31 AM
Hello,
From your configuration, the 4948 is doing routing (you are running EIGRP) and you have included 172.17.x.x and 192.168.41.x subnets in the routing process. I do not see any rules on the 4948 that is blocking communication between these two VLANs. So, in essence, 4948 is doing routing between these two VLANs. If you want to block communication between these two VLANs, then you need to configure access-lists and apply that to VLAN 10 interface.
Access-list 199 permit ip host 172.17.20.43 any
Access-list 199 deny ip 172.17.20.0 0.0.0.255 192.168.41.0 0.0.0.255
Access-list 199 permit ip any any
interface vlan 10
ip access-group 199 in
exit
This will ensure that your DNS server can talk to everybody, anybody else on VLAN 10 cannot talk to VLAN 20, and all other traffic (including internet and to VLAN 100) are permitted from VLAN 10.
Hope this helps.
Regards,
NT
07-14-2010 02:02 PM
I removed all networks from the eigrp 101 table except the 10.x.x.x network. I was still able to view our raid device webpage between 172.17.20.x and 192.168.41.x. The workstation is on 172 and the Raid is on the 192.168.41.x. I must be missing something. I will gladly use the ACL you provided but the main concern isn't so much internal VLAN crossing, it is more the potential for someone on our external network to gain access to either the VLAN 10 or the VLAN 20 network. Our external network enters on VLAN 100. Take a look at my config once again and see if you see any reason why our VLANS should be communicating. Again, I did remove all of the networks from the EIGRP 101 table except the 10.x.x.x network.
Thanks for your help!
07-14-2010 02:57 PM
Hello,
Sorry, I was not clear in my earlier post. As soon as you enable routing on the switch (not considering the routing protocol), the switch will include and route between all the subnets it is directly connected to. So, irrespective of whether you have the subnet under EIGRP or not, the routing will still happen (this routing is happening locally). So, only way to control them is to either disable IP routing (no ip routing) or configure access-lists. If you disable routing, I am affraid some of your other services might suffer (you will not be able to send traffic out to internet from these vlans). So, the best solution is to use an access-list on the interface and block the communication.
Hope this helps.
Regards,
NT
07-15-2010 09:00 AM
Thanks for the support. It looks like ACLs will be the way to go. I appreciate the prompt replys and useful information.
Thanks again!
~
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide