cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
752
Views
0
Helpful
4
Replies

How to set up a multi-vlan port

wilbertchoa
Level 1
Level 1

Hi, I am having problems in setting up a port to join more than 1 vlan using a 2960g router.

Whenever I try to add that one port to another vlan, it disappears from the previous one.

The setup I need requires that a server can visit clients, however each client can only visit the server, communication between clients is forbidden. I created a vlan for each client so that they are separated but I need to add the server port to the client vlan as well.

4 Replies 4

lgijssel
Level 9
Level 9

This would perhaps be possible using the private vlan feature. Unfortunately for you, this is not supported on the 2960:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml#topic1

Regards,

Leo

Jon Marshall
Hall of Fame
Hall of Fame

Hi

if you have a layer 3 device you could use access-list to restrict traffic flows between clients and between the clients and the servers.

If you are trying to do this at layer 2 only i think you can still use access-list although you would need to have all your clients and the server in the same vlan.

Attached is layer 2 access-list config guide for 2960 switch

http://www.cisco.com/en/US/products/ps6406/products_configuration_guide_chapter09186a00805a75be.html

HTH

Jon

From what I read in the document, I seem to be able to only filter inbound access to the whole network and not per client using my existing hardware.

I may occasionally need to let each client access the internet through the server so I'm not sure if I can do that in addition to denying access

Sorry, if i misunderstood, I'm not really very knowledgeable in networking yet.

Looks like I need to use some other switch for what I require.

Hi

Maybe i misunderstood the requirements. I was thinking you could do the following

access-list 101 permit ip host "client ip address" host "server ip address"

access-list 101 deny ip any any

Then apply access-list 101 to the client interface.

eg

interface "interface id"

ip access-group 101 in

This would allow the client to talk to the server but not to anything else with the vlan.

You could create separate access-lists for each client.

For the server you wouldn't need an access-list.

As mentioned before all clients + server would need to be in same vlan.

Does this not do what you want it to do.

HTH

Jon