cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
162
Views
0
Helpful
5
Replies
Highlighted
Beginner

how to stop inter-vlaning on switch sg350

hi all,

 

as i have added ip interface addresses for these vlans i want to stop inter-vlaning on the switch so the two vlans cant talk to eachother on the switch, they have to go back to the firewall to do all the routing

 

isnt this called an ACL rule?

 

thanks,

rob

intervlan.PNG

 

5 REPLIES 5
VIP Advisor

Re: how to stop inter-vlaning on switch sg350

you can use  VACL to block betweek VLANs 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html

 

If all the communication need to go to FW, then your SVI need to move to FW, and you should Trunk between Swith and FW.

 

how is your setup ? any HLD ?

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: how to stop inter-vlaning on switch sg350

whats a HLD?

so what your saying is dont set up any gateways ips on the switch instead set up the gateway ips on the router?

thanks

Hall of Fame Expert

Re: how to stop inter-vlaning on switch sg350

Hello,

you should be able to disable IP routing on the GUI to stop inter Vlan routing.

Another option is to avoid to define SVIs Layer 3 interfaces on those Vlans that need to be served by the FW, otherwise as you have noted the FW is bypassed by inter Vlan routing.

 

I think second option is enough to achieve the desired behaviour just disable SVIs that are associated to Vlans that must go to the FW.

Using ACLs or VACLs would be complex for you from a configuration point of view.

 

Edit:

HLD means High Level Design in your case it would be enough to see a network diagram listing all the Vlans that have to be terminated on the FW.

For all of them do not use SVI interfaces on the SG350 switch.

The suggestion about default gateway settings I think it is intended for end user devices and servers in the different Vlans they should use the corresponding FW address in Vlan as DEF GW and not the SG350 SVI address.

This may be enough to avoid FW bypass by inter Vlan routing, but only if all end user devices and servers are configured correctly.

Disabling SVIs on the SG350 for all the Vlans to be terminated on FW is safer.

 

Hope to help

Giuseppe

 

Beginner

Re: how to stop inter-vlaning on switch sg350

*you should be able to disable IP routing on the GUI to stop inter Vlan routing*

 

can i do this via terminal or is it "no ip routing"

 

but if i disable ip routing ie make it a layer 2 switch wont i lose the functionality in making different ip gateway addresses for different vlans and i will just be able to create one ip gateway vlan ie this will be the management ip to manage the switch?

 

and yes to disable svi would be the easiest option

VIP Advisor

Re: how to stop inter-vlaning on switch sg350

yes disabling the SVI Switch become Layer2, So you have control all in FW.

 

you can create the VLAN SVI  which required to management.

 

 

users -----Switch---FW ( FW as gateway for user devices..), then FW can take decision.

 

BB
*** Rate All Helpful Responses ***
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards