Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
10
Helpful
6
Replies

Want to connect one host with two vlans, without vlans interaction

Go to solution
osama.javed
Level 1
Level 1

‎03-26-2022 01:09 PM

Hi

I just joined a company, there is an issue, on a L3 switch they have two vlans.

Vlan 1 have 12 host pcs

Vlan 2 have access points

They dont want pc's to communicate with access points.

But they want 1 pc to communicate with both vlans, and they dont want vlans to communicate with eachother.

Any solution?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-26-2022 01:21 PM - edited ‎03-26-2022 01:21 PM

 

You could use acls or on the PC that communicates with both depending on the OS you could create multiple vlan interfaces and assign each interface an IP from the correct subnet. 

 

For the acls it would look like - 

 

allow host PC IP address to vlan subnet 2
deny vlan 1 subnet to vlan 2 subnet
allow vlan 1 subnet to any (this is assuming internet access etc)

 

apply the above inbound on vlan 1 interface

 

allow vlan 2 subnet to host PC IP address
deny vlan 2 subnet to vlan 1 subnet
allow vlan 2 subnet to any (again you may or may not need this line)

 

apply the above inbound to vlan 2 interface

 

For the multiple vlan interfaces if you choose that option make sure routing between interfaces is disabled on the OS. 

 

Jon

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-26-2022 01:32 PM - edited ‎03-26-2022 01:38 PM

access-list 10 permit ip host x.x.x.x y.y.y.y 0.0.0.255  ( x.x.x.x Host 1 IP address from vlan 1, y.y.y.y - IP address network of VLAN2)

 

interface vlan 2
ip access-group 10 in

 

 

Note: above suggestion is based on the requirement ( Live network please understand the ACL and apply).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-26-2022 01:21 PM - edited ‎03-26-2022 01:21 PM

 

You could use acls or on the PC that communicates with both depending on the OS you could create multiple vlan interfaces and assign each interface an IP from the correct subnet. 

 

For the acls it would look like - 

 

allow host PC IP address to vlan subnet 2
deny vlan 1 subnet to vlan 2 subnet
allow vlan 1 subnet to any (this is assuming internet access etc)

 

apply the above inbound on vlan 1 interface

 

allow vlan 2 subnet to host PC IP address
deny vlan 2 subnet to vlan 1 subnet
allow vlan 2 subnet to any (again you may or may not need this line)

 

apply the above inbound to vlan 2 interface

 

For the multiple vlan interfaces if you choose that option make sure routing between interfaces is disabled on the OS. 

 

Jon

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-26-2022 01:32 PM - edited ‎03-26-2022 01:38 PM

access-list 10 permit ip host x.x.x.x y.y.y.y 0.0.0.255  ( x.x.x.x Host 1 IP address from vlan 1, y.y.y.y - IP address network of VLAN2)

 

interface vlan 2
ip access-group 10 in

 

 

Note: above suggestion is based on the requirement ( Live network please understand the ACL and apply).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎03-26-2022 02:06 PM

 

Balaji 

 

You have applied the acl to the wrong vlan interface. 

 

Also you have not stopped vlan 2 devices from sending traffic to PCs other than the allowed PC which is why you also need an acl on the vlan 2 interface. 

 

Jon

0 Helpful

Go to solution
Zanthra
Level 1
Level 1

‎03-26-2022 05:07 PM - edited ‎03-26-2022 05:12 PM

Another solution worth at least considering is simply to have 2 network adapters on the host, or potentially a wireless network adapter for the access point VLAN connected through the access points and a wired one for the other VLAN. That computer would then have a different IP address on each VLAN, and be able to communicate on both. This naturally depends on the performance and reliability requirements for this host along with any potential DNS complications the separate IP address on each VLAN may present.

 

Note: With many network cards it may be possible to use VLAN trunk on the wired link to that host, and create two virtual ethernet connections on the host, one for each VLAN using the same ethernet connection. It would still have a different IP on each VLAN though.

0 Helpful

Go to solution
osama.javed
Level 1
Level 1
In response to Zanthra

‎03-29-2022 11:01 AM

Thank you for the solution, but I cannot apply this in a company where my seniors are observing me, also if I do this I am not benefiting with cisco routers and switches.

0 Helpful

Go to solution
Zanthra
Level 1
Level 1
In response to osama.javed

‎03-29-2022 01:38 PM

I am surprised that is the reason that such a solution is unworkable, although I don't know anything about the company culture, network policies, or if there is some underlying technical reason behind that reason.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card