Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2408
Views
10
Helpful
7
Replies

Deny traffic from different vlan's

briangreig
Level 1
Level 1

‎06-28-2017 04:10 PM - edited ‎03-08-2019 11:08 AM

Hello,

I am attempting to join a two separate networks together to allow my works VOIP system to travel along both networks, while keeping each network separate from each other.

Network 1, static network, has the PBX on it that I need to allow access to from any vlan so that the phones can report to the PBX.  Network 2 and 3 however have DHCP enabled and currently cause issues with each other since each DHCP is trying to assign IP's.  I need Network 1 to be able to travel on any vlan basically because we now have phones across several remote buildings between all the networks.  If I dont use vlan's could I use ACL's to help block traffic at the main switch where all the different networks merge?

Basically Network 2 and 3 need to be blocked from each other, but still allow network 1 to bee seen across both 2 and 3.

Thanks for any help,

Brian

Labels:
0 Helpful
7 Replies 7

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-28-2017 06:48 PM

Do you have any kind of layer 3 routing device, like a layer 3 switch?

It sounds like each remote network should be placed in a different subnet from each other.

briangreig
Level 1
Level 1
In response to Philip D'Ath

‎06-29-2017 06:34 AM

Philip,

Sorry, forgot to put my hardware in the message.  I have a Cisco 3570 switch.

I guess I just need the network traffic of network 1 to travel on the physical side of the other networks to reach the phones on those networks.  Then block 2 and 3 from interacting with eachother.

Network 1 is (static)

192.168.3.x

255.255.255.0

Network2 is (dhcp)

192.168.1.x

255.255.255.0

Network 3 is (dhcp)

172.20.25.x

255.255.255.0

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to briangreig

‎06-30-2017 06:22 PM

Yes acls will restrict traffic between subnets. Apply the acls to your interface vlan x (svi) . 

You can post the config of the switch so we can fill out the blanks.

Please rate if helpfull

Please remember to rate useful posts, by clicking on the stars below.

briangreig
Level 1
Level 1
In response to Dennis Mink

‎06-30-2017 08:36 PM

Dennis,

Im at home now, I will grab the config on monday and post it.  I was able to use a spare switch and mock up the network in the shop.  On port 4, I was able to assign the acl to only pass the 192.168.3.0 network and it seems to be working, all other ports pass traffic normally.  May not be the best way, but I think it will work good for our simple interconnect.

I have only one vlan on the switch, four ports used up out of the 48.  Not the biggest network hardware wise, but it spans out over the county to some remote radio hilltop sites to provide a basic voip system for the tech's to talk to each other where cell phones just dont work.

I setup the acl as follows and assigned it to fa0/4 where the outside network joins ours.

"Switch(config)# access-list 100 permit ip 192.168.3.0 0.0.0.255"

"Switch(config-if)# ip access-group 100 in" - This on fa0/4 only

With this I am only able to ping across the 192.168.3.0 network, all other traffic times out when trying my other networks we use.

Thanks for your guys help and direction, will post the actual config Monday.  Let me know if you guys have any other ideas, I am going to install the switch this next week to beta test it.

Thanks,

Brian

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to briangreig

‎07-01-2017 06:11 AM

Yeah Brian,  dont apply it to a physical port, apply it to your SVI (interface vlan x)  which should have and IP address on it (like the default gateway for a certain subnet)

Please rate if helpful

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

briangreig
Level 1
Level 1
In response to Dennis Mink

‎07-12-2017 03:52 PM

Dennis,

Ok so I have been trying to mock up my configuration in Packet tracer so I can experiment.  I have gone through a redo of my configs. I now have three switches, Two with two vlans and one with three, the three vlan switch is the interconnect swtich.

I have everything up and going in packet tracer but I am unable to get the two vlans to pass traffic between eachother.  I think I am starting to swim in the deep end of the pool and not thinking correctly right now.

My setup needs to have two different subnets, 192.168.3.x and 172.20.1.x, that inter vlan vlan1 and vlan2 with each other over the entire network.  On the interconnect switch I need to isolate vlan3 to only pass vlan1 traffic back and forth.

So starting from scratch, again, what should I be doing to make this work correctly.  This is a bit of a learning experiance for me as well, studying for my CCNA on the side for work.

Attached is my packet tracer setup as well.

Thanks for any help,

Brian

network_2.zip
0 Helpful

briangreig
Level 1
Level 1

‎06-30-2017 02:26 PM

Ok, after sitting down and mulling this over I might have a solution but need to see what you guys think.

I only want the 192.168.3.0 255.255.255.0 network to be able to pass back and forth on the port that interconnects two networks, lets say fa1/0/3.

Would this work?

  • Switch(config)# access-list 100 permit ip any 192.168.3.0 0.0.0.255
  • Switch(config)# end
  • Switch(config)# interface fa1/0/3
  • Switch(config-if)# ip access-group 100 in
Thanks,
Brian
0 Helpful
Customers Also Viewed These Support Documents