Solved: Re: permit one ip address to a different VLANs under one router without a trunk port

LisaWu8484407 · ‎05-21-2019

Hi,

I am new here trying to figurate out how it works... will be very grateful if someone can give me a hand here.

I have created a network has 5 different VLANs with bus topology,

wireless router - router - switch(vlan10) - switch(vlan20) - switch(vlan30) - switch(vlan40 with a server) - switch(vlan50)

but each VLAN cannot communicate with each other. For that reason, I did not create trunk... so here is the problem. I have a manager's PC under VLAN 40 which should have access to VLAN 10. I tried to add access-list permit via router but it doesn't work... I dunno if its because I didn't set up the trunk or there is some other way of doing it.

Any suggestions will help, thank you

Seb Rupik · ‎05-21-2019

The access-list 10 will have a default deny, since you have in applied INbound on each sub-interface, you will be blocking traffic on all but 0/0/0.40 .

For now, remove the ip access-group 10 in from all sub-interfaces and you will get working inter-vlan comms.

Let us know what inter-vlan security you require and we can suggest the correct ACLs and positions.

cheers,
Seb.

View solution in original post

Seb Rupik · ‎05-21-2019

Hi there,

Looking at your topology, each switch is configured with just one VLAN and then these switches are just connected to one another?

I assume the router connected to switch(vlan10) uses a sub-interface with configuration for VLANs 1-, 20,30.40,50 ?

You switches will also need to have the connections between them configured as trunk links. At these stage don't explicitly specify the VLAN IDs.

This should allow a frame from VLAN40 to traverse the switches towards the sub-interface on the router and be routed.

Can you share the config of the router?

cheers,

Seb.

LisaWu8484407 · ‎05-21-2019

Hi Seb,

I did config all the VLANs to the router but I thought once I create the trunk, all the VLANs will link and they will start to communicate. But in this case because of the manager's PC, maybe I should the trunk and create the deny-list?

Seb Rupik · ‎05-21-2019

The access-list 10 will have a default deny, since you have in applied INbound on each sub-interface, you will be blocking traffic on all but 0/0/0.40 .

For now, remove the ip access-group 10 in from all sub-interfaces and you will get working inter-vlan comms.

Let us know what inter-vlan security you require and we can suggest the correct ACLs and positions.

cheers,
Seb.

LisaWu8484407 · ‎05-21-2019

Hi Seb, I don't know how to post pics here so I replied under this topic.

Thank you :)

Mark Malone · ‎05-21-2019

Hi
the layer 2 switches will need trunks between them to speak to each other with the vlans allowed on each end
The router is controlling all the vlan interfaces and will need to be enabled for intervlan routing for any vlans to be able to communicate with each other , you need an L3 device for intervlan communication , like vlan 10 to speak to vlan 20 by ip etc

The router looking at that design would wort with router an stick setup , where the sub interfaces on the router would have dot1qs for the land and the switch end would just be a pure layer 2 trunk

This link shows how you would setup a router on a stick back to a switch , if the router does not have a l2 ports for a true trunk

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/336-cisco-router-8021q-router-stick.html

if the router can just do a trunk back to teh switch that would easier then have all the vlan interfaces on the router itself

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/336-cisco-router-8021q-router-stick.html