cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1582
Views
0
Helpful
5
Replies

how to stop inter-vlaning on switch sg350

robertkwild
Spotlight
Spotlight

hi all,

 

as i have added ip interface addresses for these vlans i want to stop inter-vlaning on the switch so the two vlans cant talk to eachother on the switch, they have to go back to the firewall to do all the routing

 

isnt this called an ACL rule?

 

thanks,

rob

intervlan.PNG

 

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

you can use  VACL to block betweek VLANs 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html

 

If all the communication need to go to FW, then your SVI need to move to FW, and you should Trunk between Swith and FW.

 

how is your setup ? any HLD ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

whats a HLD?

so what your saying is dont set up any gateways ips on the switch instead set up the gateway ips on the router?

thanks

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello,

you should be able to disable IP routing on the GUI to stop inter Vlan routing.

Another option is to avoid to define SVIs Layer 3 interfaces on those Vlans that need to be served by the FW, otherwise as you have noted the FW is bypassed by inter Vlan routing.

 

I think second option is enough to achieve the desired behaviour just disable SVIs that are associated to Vlans that must go to the FW.

Using ACLs or VACLs would be complex for you from a configuration point of view.

 

Edit:

HLD means High Level Design in your case it would be enough to see a network diagram listing all the Vlans that have to be terminated on the FW.

For all of them do not use SVI interfaces on the SG350 switch.

The suggestion about default gateway settings I think it is intended for end user devices and servers in the different Vlans they should use the corresponding FW address in Vlan as DEF GW and not the SG350 SVI address.

This may be enough to avoid FW bypass by inter Vlan routing, but only if all end user devices and servers are configured correctly.

Disabling SVIs on the SG350 for all the Vlans to be terminated on FW is safer.

 

Hope to help

Giuseppe

 

*you should be able to disable IP routing on the GUI to stop inter Vlan routing*

 

can i do this via terminal or is it "no ip routing"

 

but if i disable ip routing ie make it a layer 2 switch wont i lose the functionality in making different ip gateway addresses for different vlans and i will just be able to create one ip gateway vlan ie this will be the management ip to manage the switch?

 

and yes to disable svi would be the easiest option

yes disabling the SVI Switch become Layer2, So you have control all in FW.

 

you can create the VLAN SVI  which required to management.

 

 

users -----Switch---FW ( FW as gateway for user devices..), then FW can take decision.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card