Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
10
Helpful
7
Replies

Segmentation of Traffic on Switches

Go to solution
mahesh18
Level 6
Level 6

‎07-03-2018 05:46 PM - edited ‎03-08-2019 03:33 PM

Hi Everyone,

 

If we have end device like AP  and their Gateway lives on the Cisco Switch.

But we want that layer 3 gateway of different subnets configured on this switch should not talk to each other for that can we config the acl and apply that to the layer 3 vlan on the switch.?

 

 

or 

 

If we have switch and it has default gateway for each different subnets on the switch and we have no ACL on the switch can then IP in one subnet talk to IP in another subnet?

 

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎07-04-2018 01:42 PM

Hi Mahesh,

I mean users on vlan 10 can access the 10.10.0.0/16 network as we have static route there?

Correct, assuming network 10.10.0.0/16 is up and running. Also, for reachability, the device that has network 10.10.0.0/16 needs to have a static route back to vlan 10 (192.168.10.0).

Also they can access any network as we have default gateway configured?

In an environment like this where we have multiple SVIs and the switch is actually routing, it is better to have a default route instead of a default gateway.  A default gateway is mainly used on a layer-2 switch with one SVI which is used for management and needs reachability to the rest of the network.

So, 

ip route 0.0.0.0 0.0.0.0 <next hop ip>

HTH

View solution in original post

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎07-06-2018 07:20 PM

Hi Mahes

If say switch1 has default route to switch2 then if device in vlan 10 can access the rest of network as 

switch1 has default route to switch 2 right?

Correct.

Also to make this happen then switch2 needs route back to device in vlan 10 right?

That is correct. 

HTH

 

View solution in original post

7 Replies 7

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎07-03-2018 06:44 PM

Hi Mahesh,

But we want that layer 3 gateway of different subnets configured on this switch should not talk to each other for that can we config the acl and apply that to the layer 3 vlan on the switch.?

That is correct. You would need to configure ACLs and apply them to proper vlan interfaces (SVIs) to block communications.

If we have switch and it has default gateway for each different subnets on the switch and we have no ACL on the switch can then IP in one subnet talk to IP in another subnet?

Correct. By default, the SVIs can communicate with each other unless you configure access lists and applies them to the SVIs.

HTH

 

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Reza Sharifi

‎07-03-2018 07:59 PM

 

Hi Reza,

 

Thanks for answering this question too.

One last thing if we have this setup 

 

Different  subnets and all the layer 3 gateway  for those subnets live on one switch.

There are no ACL  so all these layer 3 subnets can talk to each other.

 

If we have these  layer 3 SVI  on the switch 

 

192.168.10.1  vlan 10

192.168.20.1  vlan 20

192.168.30.1 vlan 30

 

If we have this static routes on the switch 

 

10.10.0.0/16 next hop 10.1.10.0

default gateway is 0.0.0.0/0

 

then users on the vlan 10 can access all the ips in the vlan 20 and 30 and also they can access  any

network as long as there is static route on the switch ?

 

I mean users on vlan 10 can access the 10.10.0.0/16 network as we have static route there?

 

Also they can access any network as we have default gateway configured?

 

Regards

Mahesh

 

 

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎07-04-2018 01:42 PM

Hi Mahesh,

I mean users on vlan 10 can access the 10.10.0.0/16 network as we have static route there?

Correct, assuming network 10.10.0.0/16 is up and running. Also, for reachability, the device that has network 10.10.0.0/16 needs to have a static route back to vlan 10 (192.168.10.0).

Also they can access any network as we have default gateway configured?

In an environment like this where we have multiple SVIs and the switch is actually routing, it is better to have a default route instead of a default gateway.  A default gateway is mainly used on a layer-2 switch with one SVI which is used for management and needs reachability to the rest of the network.

So, 

ip route 0.0.0.0 0.0.0.0 <next hop ip>

HTH

Go to solution
mahesh18
Level 6
Level 6
In response to Reza Sharifi

‎07-06-2018 04:56 PM

Hi Reza,

 

sorry for typo

 

i mean to ask for 

ip route 0.0.0.0/0 not ip default gateway.

 

If say switch1 has default route to switch2 then if device in vlan 10 can access the rest of network as 

switch1 has default route to switch 2 right?

 

Also to make this happen then switch2 needs route back to device in vlan 10 right?

 

Regards

Mahesh

 

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎07-06-2018 07:20 PM

Hi Mahes

If say switch1 has default route to switch2 then if device in vlan 10 can access the rest of network as 

switch1 has default route to switch 2 right?

Correct.

Also to make this happen then switch2 needs route back to device in vlan 10 right?

That is correct. 

HTH

 

Go to solution
mahesh18
Level 6
Level 6
In response to Reza Sharifi

‎07-17-2018 03:50 PM

Many thanks Reza!!!

 

Best Regards

Mahesh

0 Helpful

Go to solution
AymanMunassar
Level 1
Level 1

‎07-09-2018 11:24 AM

Q1: Yes, Assuming you enabled the routing between them

Q2: No, unless you type (config)# ip routing in the L3 switch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card