03-26-2022 01:09 PM
Hi
I just joined a company, there is an issue, on a L3 switch they have two vlans.
Vlan 1 have 12 host pcs
Vlan 2 have access points
They dont want pc's to communicate with access points.
But they want 1 pc to communicate with both vlans, and they dont want vlans to communicate with eachother.
Any solution?
Solved! Go to Solution.
03-26-2022 01:21 PM - edited 03-26-2022 01:21 PM
You could use acls or on the PC that communicates with both depending on the OS you could create multiple vlan interfaces and assign each interface an IP from the correct subnet.
For the acls it would look like -
allow host PC IP address to vlan subnet 2
deny vlan 1 subnet to vlan 2 subnet
allow vlan 1 subnet to any (this is assuming internet access etc)
apply the above inbound on vlan 1 interface
allow vlan 2 subnet to host PC IP address
deny vlan 2 subnet to vlan 1 subnet
allow vlan 2 subnet to any (again you may or may not need this line)
apply the above inbound to vlan 2 interface
For the multiple vlan interfaces if you choose that option make sure routing between interfaces is disabled on the OS.
Jon
03-26-2022 01:32 PM - edited 03-26-2022 01:38 PM
access-list 10 permit ip host x.x.x.x y.y.y.y 0.0.0.255 ( x.x.x.x Host 1 IP address from vlan 1, y.y.y.y - IP address network of VLAN2)
interface vlan 2
ip access-group 10 in
Note: above suggestion is based on the requirement ( Live network please understand the ACL and apply).
03-26-2022 01:21 PM - edited 03-26-2022 01:21 PM
You could use acls or on the PC that communicates with both depending on the OS you could create multiple vlan interfaces and assign each interface an IP from the correct subnet.
For the acls it would look like -
allow host PC IP address to vlan subnet 2
deny vlan 1 subnet to vlan 2 subnet
allow vlan 1 subnet to any (this is assuming internet access etc)
apply the above inbound on vlan 1 interface
allow vlan 2 subnet to host PC IP address
deny vlan 2 subnet to vlan 1 subnet
allow vlan 2 subnet to any (again you may or may not need this line)
apply the above inbound to vlan 2 interface
For the multiple vlan interfaces if you choose that option make sure routing between interfaces is disabled on the OS.
Jon
03-26-2022 01:32 PM - edited 03-26-2022 01:38 PM
access-list 10 permit ip host x.x.x.x y.y.y.y 0.0.0.255 ( x.x.x.x Host 1 IP address from vlan 1, y.y.y.y - IP address network of VLAN2)
interface vlan 2
ip access-group 10 in
Note: above suggestion is based on the requirement ( Live network please understand the ACL and apply).
03-26-2022 02:06 PM
Balaji
You have applied the acl to the wrong vlan interface.
Also you have not stopped vlan 2 devices from sending traffic to PCs other than the allowed PC which is why you also need an acl on the vlan 2 interface.
Jon
03-26-2022 05:07 PM - edited 03-26-2022 05:12 PM
Another solution worth at least considering is simply to have 2 network adapters on the host, or potentially a wireless network adapter for the access point VLAN connected through the access points and a wired one for the other VLAN. That computer would then have a different IP address on each VLAN, and be able to communicate on both. This naturally depends on the performance and reliability requirements for this host along with any potential DNS complications the separate IP address on each VLAN may present.
Note: With many network cards it may be possible to use VLAN trunk on the wired link to that host, and create two virtual ethernet connections on the host, one for each VLAN using the same ethernet connection. It would still have a different IP on each VLAN though.
03-29-2022 11:01 AM
Thank you for the solution, but I cannot apply this in a company where my seniors are observing me, also if I do this I am not benefiting with cisco routers and switches.
03-29-2022 01:38 PM
I am surprised that is the reason that such a solution is unworkable, although I don't know anything about the company culture, network policies, or if there is some underlying technical reason behind that reason.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide