Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
0
Helpful
1
Replies

VLAN Segregation

eric.brogdon
Level 1
Level 1

‎12-01-2010 10:29 PM - edited ‎03-06-2019 02:19 PM

I am attempting to segregate my VLANs. I have a voice vlan, data vlan, and a POS vlan. The voice and data do not need to be segregated. For the purpose of PCI compliance I need the POS vlan to not be reachable by the other two vlans. I am using an IAD881, same as a standard 881 only difference is it has 4 FXO ports. The following is my current interface settings.

interface FastEthernet0
switchport access vlan 500
switchport voice vlan 600
duplex full
speed 100
!
interface FastEthernet1
switchport access vlan 500
switchport voice vlan 600
duplex full
speed 100
!
interface FastEthernet2
switchport access vlan 500
switchport voice vlan 600
duplex full
speed 100
!
interface FastEthernet3
switchport access vlan 10
duplex full
speed 100
!
interface FastEthernet4
description $ETH-WAN$
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip access-group 107 in
ip access-group 106 out
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex full
speed 100
!
interface Vlan1
no ip address
!
interface Vlan10
description POS
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan500
description Data
ip address 10.30.30.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
!
interface Vlan600
description Voice
ip address 172.16.16.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map Voice

Is there any easy way to stop the VLANs from communicating or do I need to setup a of list of ACLs for each subnet and attach the ACLs to each VLAN interface?

Labels:
0 Helpful
1 Reply 1

Nicholas Poole
Level 1
Level 1

‎12-02-2010 04:01 AM

All connected interfaces are part of the routing table and clients on these VLANs can therefore talk to each other via their default gateays to one another.  If you want to stop this, you can add ACLs on all L3 interfaces denying traffic, or alternatively add a VRF for the POS VLAN and put that L3 interface into it if it is realy meant to be isolated.  Of course if they POS VLAN needs to use the WAN the same as the other VLANs then this wont be possible...

0 Helpful
Customers Also Viewed These Support Documents