04-27-2019 01:13 PM - edited 04-27-2019 01:15 PM
Hi,
I've got a number of PCs in 4 different VLANs. Currently there is no inter-vlan routing so only devices within the same VLAN can ping each other. I've now added a server and a printer that lie outside all of these VLANs, but would like all PCs to be able to ping them. Is it possible to ping these without allowing PCs in different VLANs to ping each other. I've seen some suggestions saying to set switchport mode to trunking instead of access but I'm not sure how this would affect what I already have configured.
Thank you in advance for any help!
I've included a section of the topology here if that helps give an overview of what I'm trying to achieve.
Example switch configuration:
interface Port-channel3
switchport mode trunk
!
interface FastEthernet0/1
switchport mode trunk
channel-group 3 mode active
!
interface FastEthernet0/2
switchport mode trunk
channel-group 3 mode active
!
interface FastEthernet0/10
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 30
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 0004.9a4b.b401
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
mac-address 0004.9a4b.b402
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
mac-address 0004.9a4b.b403
ip address 192.168.30.1 255.255.255.0
!
interface Vlan40
mac-address 0004.9a4b.b404
ip address 192.168.40.1 255.255.255.0
!
04-27-2019 01:43 PM
Hi @Stuart D ,
To get devices from different vlan to communicate, you must activate the routing between vlan.
After this, you can create an acl to filter the traffic between vlan.
Regards
03-27-2020 04:51 AM
03-28-2020 09:20 AM
I find the question confusing. What is this that is outside the vlan but not in a different vlan? Can you provide some clarification?
But if we think in basic terms we can perhaps answer this question. There is a device in a vlan that wants to ping some other device that is not in this vlan. So what are the answers to these questions:
1) what is the gateway for the devices in this vlan?
2) does this gateway have ip routing enabled?
3) if ip routing is enabled does this gateway device have a route to the subnet where the other device is located?
4) are there any security policies along the path (access lists, firewalls, etc) that would deny the ping?
5) if the other device receives the ping request does it have a security policy that allows the ping?
6) if the security policy does permit the ping then the other device will attempt to send a response. What is the gateway for this other device?
7) does that other gateway have ip routing enabled?
8) if ip routing is enabled on that other gateway then does that other gateway have a route to the subnet of the original vlan?
9) are there any security policies along the path (access lists, firewalls, etc) that would deny the ping?
If these conditions are satisfied then yes you should be able to ping a device outside the vlan no matter where it is.
04-27-2019 03:31 PM
Hello
@Stuart D wrote:
Hi,
I've got a number of PCs in 4 different VLANs. Currently there is no inter-vlan routing so only devices within the same VLAN can ping each other. I've now added a server and a printer that lie outside all of these VLANs, but would like all PCs to be able to ping them. Is it possible to ping these without allowing PCs in different VLANs to ping each other.
In short as @luis_cordova stated inter vlan communication requires routing
The only other alternative i can personally think of is to have one large broadcast domain and apply some port security between the hosts
04-28-2019 09:06 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: