Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1583
Views
0
Helpful
5
Replies

how to stop inter-vlaning on switch sg350

robertkwild
Spotlight
Spotlight

‎08-12-2019 04:40 PM

hi all,

 

as i have added ip interface addresses for these vlans i want to stop inter-vlaning on the switch so the two vlans cant talk to eachother on the switch, they have to go back to the firewall to do all the routing

 

isnt this called an ACL rule?

 

thanks,

rob

intervlan.PNG

 

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎08-12-2019 05:09 PM

you can use  VACL to block betweek VLANs 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html

 

If all the communication need to go to FW, then your SVI need to move to FW, and you should Trunk between Swith and FW.

 

how is your setup ? any HLD ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

robertkwild
Spotlight
Spotlight
In response to balaji.bandi

‎08-13-2019 01:40 AM

whats a HLD?

so what your saying is dont set up any gateways ips on the switch instead set up the gateway ips on the router?

thanks

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-13-2019 01:59 AM - edited ‎08-13-2019 02:06 AM

Hello,

you should be able to disable IP routing on the GUI to stop inter Vlan routing.

Another option is to avoid to define SVIs Layer 3 interfaces on those Vlans that need to be served by the FW, otherwise as you have noted the FW is bypassed by inter Vlan routing.

 

I think second option is enough to achieve the desired behaviour just disable SVIs that are associated to Vlans that must go to the FW.

Using ACLs or VACLs would be complex for you from a configuration point of view.

 

Edit:

HLD means High Level Design in your case it would be enough to see a network diagram listing all the Vlans that have to be terminated on the FW.

For all of them do not use SVI interfaces on the SG350 switch.

The suggestion about default gateway settings I think it is intended for end user devices and servers in the different Vlans they should use the corresponding FW address in Vlan as DEF GW and not the SG350 SVI address.

This may be enough to avoid FW bypass by inter Vlan routing, but only if all end user devices and servers are configured correctly.

Disabling SVIs on the SG350 for all the Vlans to be terminated on FW is safer.

 

Hope to help

Giuseppe

 

0 Helpful

robertkwild
Spotlight
Spotlight
In response to Giuseppe Larosa

‎08-13-2019 02:33 AM - edited ‎08-13-2019 02:45 AM

*you should be able to disable IP routing on the GUI to stop inter Vlan routing*

 

can i do this via terminal or is it "no ip routing"

 

but if i disable ip routing ie make it a layer 2 switch wont i lose the functionality in making different ip gateway addresses for different vlans and i will just be able to create one ip gateway vlan ie this will be the management ip to manage the switch?

 

and yes to disable svi would be the easiest option

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to robertkwild

‎08-13-2019 08:25 AM

yes disabling the SVI Switch become Layer2, So you have control all in FW.

 

you can create the VLAN SVI  which required to management.

 

 

users -----Switch---FW ( FW as gateway for user devices..), then FW can take decision.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card