cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2007
Views
10
Helpful
5
Replies
Stuart D
Beginner

Pinging a Device Outside of VLAN

Hi,

I've got a number of PCs in 4 different VLANs. Currently there is no inter-vlan routing so only devices within the same VLAN can ping each other. I've now added a server and a printer that lie outside all of these VLANs, but would like all PCs to be able to ping them. Is it possible to ping these without allowing PCs in different VLANs to ping each other. I've seen some suggestions saying to set switchport mode to trunking instead of access but I'm not sure how this would affect what I already have configured.

Thank you in advance for any help! 

 

I've included a section of the topology here if that helps give an overview of what I'm trying to achieve.

help.jpg

 

Example switch configuration:

 

interface Port-channel3

switchport mode trunk

!

interface FastEthernet0/1

switchport mode trunk

channel-group 3 mode active

!

interface FastEthernet0/2

switchport mode trunk

channel-group 3 mode active

!

interface FastEthernet0/10

switchport access vlan 40

switchport mode access

!

interface FastEthernet0/11

switchport access vlan 30

switchport mode access

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

mac-address 0004.9a4b.b401

ip address 192.168.10.1 255.255.255.0

!

interface Vlan20

mac-address 0004.9a4b.b402

ip address 192.168.20.1 255.255.255.0

!

interface Vlan30

mac-address 0004.9a4b.b403

ip address 192.168.30.1 255.255.255.0

!

interface Vlan40

mac-address 0004.9a4b.b404

ip address 192.168.40.1 255.255.255.0

!

5 REPLIES 5
luis_cordova
VIP Advisor

Hi @Stuart D ,

 

To get devices from different vlan to communicate, you must activate the routing between vlan.

After this, you can create an acl to filter the traffic between vlan.

 

Regards

Can we ping a device outside of vlan but not in different vlan , it’s just normal network

I find the question confusing. What is this that is outside the vlan but not in a different vlan? Can you provide some clarification?

 

But if we think in basic terms we can perhaps answer this question. There is a device in a vlan that wants to ping some other device that is not in this vlan. So what are the answers to these questions:

1) what is the gateway for the devices in this vlan?

2) does this gateway have ip routing enabled?

3) if ip routing is enabled does this gateway device have a route to the subnet where the other device is located?

4) are there any security policies along the path (access lists, firewalls, etc) that would deny the ping?

5) if the other device receives the ping request does it have a security policy that allows the ping?

6) if the security policy does permit the ping then the other device will attempt to send a response. What is the gateway for this other device?

7) does that other gateway have ip routing enabled?

8) if ip routing is enabled on that other gateway then does that other gateway have a route to the subnet of the original vlan?

9) are there any security policies along the path (access lists, firewalls, etc) that would deny the ping?

If these conditions are satisfied then yes you should be able to ping a device outside the vlan no matter where it is.

HTH

Rick
paul driver
VIP Expert

Hello


@Stuart D wrote:

Hi,

I've got a number of PCs in 4 different VLANs. Currently there is no inter-vlan routing so only devices within the same VLAN can ping each other. I've now added a server and a printer that lie outside all of these VLANs, but would like all PCs to be able to ping them. Is it possible to ping these without allowing PCs in different VLANs to ping each other. 


In short as @luis_cordova stated inter vlan communication requires routing 

 

The only other alternative i can personally think of is to have one large broadcast domain and apply some port security  between the hosts 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Mohamed Alhenawy
Participant

Hello dear ,
Apply # ip route
So all SVI’s will see us