Solved: Re: L3 & L2 switch

MICHAEL KALOPETRIDES · ‎03-25-2011

On a layer 3 switch on issuing the global command ip routing the L3 is enabled and intervilan routing is enabled.

Can I have some ports of same switch as L3 and some as L2?

Jon Marshall · ‎03-27-2011

m.kalopetrides wrote:

If I do not create vlan svi there will be no routing? because it will not have a gateway?

Correct, no SVI for a vlan means that clients on that vlan can only communicate with clients on the same vlan.

If you want to restrict inter-vlan traffic between certain vlans use access-lists on the SVI interfaces, it's the easiest solution.

Jon

View solution in original post

Jon Marshall · ‎03-25-2011

m.kalopetrides wrote:

On a layer 3 switch on issuing the global command ip routing the L3 is enabled and intervilan routing is enabled.

Can I have some ports of same switch as L3 and some as L2?

Michael

Even after enabling "ip routing" all ports on the switch are still L2 switchports. It is indeed possible to have L2 and L3 ports on the same switch with routing enabled eg.

int gi0/1

switchport mode access

switchport access vlan 10

the above is a L2 port assigned to vlan 10

int gi0/2

no switchport

ip address 192.168.5.1 255.255.255.0

the above is a L3 routed port with an IP address assigned.

Jon

lamav · ‎03-25-2011

JON!!!!

I was asking about you a few weeks ago! Where the heck have you been, you limey??!!??

Hope everything is OK.

Jon Marshall · ‎03-25-2011

lamav wrote:

JON!!!!

I was asking about you a few weeks ago! Where the heck have you been, you limey??!!??

Hope everything is OK.

Victor me old mate, yes i've been away for a few months sorting out some personal stuff so haven't been posting for a while.

Back now, at least for the present !

Hope your'e okay as well, good to hear from you.

Jon

MICHAEL KALOPETRIDES · ‎03-25-2011

Thanks Jon

Yes I know about that, may be I did not make myself clear.

I ment that how can I have some ports routing intervilan routing and some only their vlan

Jon Marshall · ‎03-25-2011

m.kalopetrides wrote:

Thanks Jon

Yes I know about that, may be I did not make myself clear.

I ment that how can I have some ports routing intervilan routing and some only their vlan

Not sure i follow, could you give an example of what you mean.

Jon

Aileron88 · ‎03-25-2011

Are you talking about restricting some users to a single VLAN and other users not?

MICHAEL KALOPETRIDES · ‎03-27-2011

Yes some ports to have intervlan routing and some ports not

eg port 1 & 2 to belong to vlan 2

port 3 & 4 to vlan 5

port 5&6 to vlan 6

no traffic from vlan 2 to go to vlan 5 & 6 and no traffic from vlan 5&6 to vlan 2 so vlan 2 will be isolated

Thanks

Aileron88 · ‎03-27-2011

Hi Michael,

You can just use a standard access list to do this.

So e.g. if VLAN 2 has a 192.168.2.0/24 address range and VLAN 5 has a 192.168.5.0/24 range and you want to stop VLAN 2 traffic from entering VLAN 5 you could create a standard access-list as follows:

access-list 1 deny 192.168.2.0 0.0.0.255

access-list 1 permit any

Interface VLAN 5

ip access-group 1 in

Adam

mahmoodmkl · ‎03-27-2011

HI

Another way can be that u dont create the SVI of vlan 2 on ur L3 switch instead of applying the ACLs.

Thanks

Aileron88 · ‎03-27-2011

Correct, but this would stop the suggested VLAN from routing at all.

MICHAEL KALOPETRIDES · ‎03-27-2011

If I do not create vlan svi there will be no routing? because it will not have a gateway?

Jon Marshall · ‎03-27-2011

m.kalopetrides wrote:

If I do not create vlan svi there will be no routing? because it will not have a gateway?

Correct, no SVI for a vlan means that clients on that vlan can only communicate with clients on the same vlan.

If you want to restrict inter-vlan traffic between certain vlans use access-lists on the SVI interfaces, it's the easiest solution.

Jon