Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
5
Helpful
3
Replies

Trying to forward traffic to an edge router

JackDent02412
Level 1
Level 1

‎01-04-2020 04:55 PM

Hi everyone,

 

I'll try my best to explain the problem I'm having if it's not clear enough please say.

So I have two separate VLAN's (10,20) and they talk to each other over the network fine, but I am trying to get all the PC's to be able to ping the edge router. But I cannot have the other VLAN's being able to ping each other. Is there a solution to this?

 

PS I am a novice so if you could keep the answers relatively simple it would be greatly appreciated!

Labels:
Preview file
50 KB
0 Helpful
3 Replies 3

paul driver
VIP
VIP

‎01-04-2020 05:11 PM - edited ‎01-04-2020 05:16 PM

Hello

You have two options - 
1) access -list
2) virtual route forwarding (VRF)

The most simplistic way would be to use an access-list on the L3 interfaces for each vlan 10,20 either on the L3 switch or router

example:
access-list 110 deny icmp any 10.20.20.0 0.0.0.255  echo
access-list 110 deny icmp any 10.20.20.0 0.0.0.255 echo-reply
access-list 110 deny ip any 10.20.20.0 0.0.0.255
access-list 110 permit ip any any
int vlan 10
ip access-group 110 IN


access-list 120 deny icmp any 10.10.10.0 0.0.0.255  echo
access-list 120 deny icmp any 10.10.10.0 0.0.0.255 echo-reply
access-list 120 deny ip any 10.10.10.0 0.0.0.255
access-list 120 permit ip any any
int vlan 20
ip access-group 120 IN

 

Note-: The above access-list will negate ALL communication between those two vlans not just ping, so if you wish just to negate ping then the access-list would be:

access-list 110 deny icmp any 10.20.20.0 0.0.0.255  echo
access-list 110 deny icmp any 10.20.20.0 0.0.0.255 echo-reply
access-list 110 permit ip any any

access-list 120 deny icmp any 10.10.10.0 0.0.0.255  echo
access-list 120 deny icmp any 10.10.10.0 0.0.0.255 echo-reply
access-list 120 permit ip any any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

JackDent02412
Level 1
Level 1
In response to paul driver

‎01-04-2020 05:52 PM

Hi Paul,

 

Thanks very much for your answer, I’m sure a Access control list will help with the restrictions. Not sure if I made it clear in my question but the other problem I’m having is I can’t actually get one of the PC’s to ping either the Layer 3 or the router itself. The Layer 3 and the router can ping each other though...

 

 

0 Helpful

LikeMyFloydPink
Level 1
Level 1
In response to JackDent02412

‎01-04-2020 08:20 PM - edited ‎01-04-2020 08:22 PM

EDIT: In response to the "Oops I forgot to mention..." portion regarding connectivity between PC/L3 Switch-

Hey there! 

 

Real quick - check the IP address, subnet and/or VLAN info.  Your diagram has the IP's/Vlan as ".10.10; .20.20, etc. (or something similar) and then above the individual PC's "PC0, PC1.." you have a different IP address.  

I seriously just glanced at the diagram and this response is the first thing I thought to help you.  

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card