Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1136
Views
0
Helpful
4
Replies

VLAN's, subinterface, access-lists and 3560 catalyst switch?

Go to solution
jeffhouston
Level 1
Level 1

‎12-29-2014 02:17 PM - edited ‎03-07-2019 10:02 PM

Hi,

How can I isolate VLAN 121 from all others?

 

I have a cisco 2811 router connected to a 3560 catalyst switch which has 5 VLAN's of which I need to protect IP traffic of 4 from 1.

The following VLANs configured on the switch:

VLAN 0 192.168.132.0 /24

VLAN 135 ..135.0 /24

VLAN 137 ..137.0 /24

VLAN 139 ..139.0.24 and lastly,

VLAN 121 192.168.121.0 /24 which I wish to isolate all IP from VLAN 0, 135, 137, and 139 but have internet out the 2811's other interface. Currently all VLAN's and routing are working perfectly.

 

I need some advice please. Here is my plan:  to split the FA0/0 into FA0/0.1 for VLAN 121 using dot1q and apply an access-list to deny 192.168.121.0 to the FA0/0 interface. Since I'm essentially creating VLAN's with the router can or will that interfere with the Switch VLAN configuration? router on a stick vs. a Layer 4 Cisco 3560 Catalyst switch?

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
schaef350
Level 1
Level 1
In response to jeffhouston

‎12-29-2014 02:59 PM

Ah ok.  If your routing on the switch you can just add you ACLs there.  I would try to keep things simple with only one device doing the inter VLAN routing unless you have a major reason to do so.

 

Please rate helpful posts! :-)

- Be sure to rate all helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
schaef350
Level 1
Level 1

‎12-29-2014 02:40 PM

I will have to assume VLAN 0 is the native VLAN / default interface on the router?  All VLANs are numbered native or not.  Just ensure the VLAN numbering matches between the router and the trunking on the switch.

 

Yes, you could create a sub interface on the 2811 and use the router to route the VLAN.  Apply an access list on the other interfaces to block access to the VLAN you want to protect.  If you have routing enabled on the 3560 as well you would complicate the situation a bit more. 

 

Please rate helpful posts! :-)

 

 

 

 

 

 

- Be sure to rate all helpful posts
0 Helpful

Go to solution
jeffhouston
Level 1
Level 1
In response to schaef350

‎12-29-2014 02:48 PM

I am routing between VLAN's with the switch but the Router knows the routes too. I want to put an access list on the routers FA0/0 interface like:

access-list 121 deny ip 192.168.121.0 0.0.0.255

access-list 121 permit any

But since the route for the VLAN 121 is the switch 192.168.132.226 so that probably won't work right?

Do I need to apply it to each VLAN interface itself?  How would you do it?

Thanks!

0 Helpful

Go to solution
schaef350
Level 1
Level 1
In response to jeffhouston

‎12-29-2014 02:59 PM

Ah ok.  If your routing on the switch you can just add you ACLs there.  I would try to keep things simple with only one device doing the inter VLAN routing unless you have a major reason to do so.

 

Please rate helpful posts! :-)

- Be sure to rate all helpful posts
0 Helpful

Go to solution
jeffhouston
Level 1
Level 1
In response to schaef350

‎12-29-2014 03:57 PM

That what I ended up doing and it worked.

Thanks so much for you feed back!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card