Solved: Disable communication between VLANS on same Switch.

khalid166 · ‎12-28-2010

Hi Everyone,

My Question is very simple, In my scenario I am using 2950 switch and having Vlans (10,20,and 30), I just want VLAN 10 should be able to communicate with VLAN 20 and VLAN 30 but VLAN 20 and VLAN 30 should not be able communicate with each other.

Thanks,

Regards,

KM.

Latchum Naidu · ‎12-29-2010

Hi Khaled,

You are most welcome... Feel proud always that this forum will bring up from issues...

And I am glad that my post helped you... :-)

Please rate the post which makes good impression as well.

Regards,

Naidu.

View solution in original post

Peter Paluch · ‎12-28-2010

Khalid,

You cannot accomplish this with a 2950 Catalyst switch. The 2950 is a Layer2 switch which keeps all VLANs strictly isolated from each other. If you need to allow communication between selected VLANs you either need an additional router or a multilayer switch because communication between VLANs is essentially routing. In any case, the 2950 alone is absolutely unable to perform routing functions, and thus, it keeps all defined VLANs separate.

Best regards,

Peter

Shashank Singh · ‎12-28-2010

Hi Khalid,

This can be achieved by configuring ACLs on the router subinterfaces which is doing the intervlan routing for you. Following is a brief idea:

on subint 20 in IN direction:

deny ip vlan20_subnet vlan30_subnet

permit ip any any

on subint 30 in IN direction:

deny ip vlan30_subnet vlan20_subnet

permit ip any any

Hope this helps.

Shashank.

Please rate this answer if you found the content useful

Latchum Naidu · ‎12-28-2010

Hi Khalid,

As Paul said, you need a L3 device to do intervlan routing and hope you have that.

Try to configure the accesslist like below and apply under VLAN's and see.

I am assuming your IP ranges as follow Vlan10: 10.10.10.0/24 Vlan20: 10.10.20.0/24 Vlan30: 10.10.30.0/24

ip access-list extended Vlan_10
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255

ip access-list extended Vlan_20
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

ip access-list extended Vlan_30
deny ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255
deny ip 10.10.30.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip any any

int Vlan 10
ip access-group Vlan_10 in

int Vlan 20
ip access-group Vlan_20 in

int Vlan 30
ip access-group Vlan_30 in

Regards,
Naidu.

khalid166 · ‎12-29-2010

Mr,Maidu,

Thanks alot for your help and support its working fine.

thanks to other guys also.

Regards.

KM.

Latchum Naidu · ‎12-29-2010

Hi Khaled,

You are most welcome... Feel proud always that this forum will bring up from issues...

And I am glad that my post helped you... :-)

Please rate the post which makes good impression as well.

Regards,

Naidu.

Deepak Aswani · ‎11-04-2021

This worked perfectly for me too. Thank you!

dmayo15 · ‎09-12-2023

Is it possible to NOT use ip address but instead use the port that the end device is connected to allow access (IE3400)