Hello everyone, I have a newbie question about a Cisco 3550 switch. I would like to break it up into 4 vlans and have port #24 attached to a Cisco 7206 router. I would like all of the vlans to have internet access through the router on port #24, but none of the vlans to be able to “see” one another. Do I need to put port #24 on its own vlan to route it? Or is there some other routing I should do? Should trunking be used? I apologize for my ignorance about these things. Reading the Cisco documentation gets me more upset than anything. Any help would be much appreciated. Thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
cisco 3550 vlan help 1
- Thread starter pbxkid1
- Start date
-
1
- #3
You don't need to trunk the VLAN's to the 7206 for this, the 3550 can do all this for you.
1. Create the VLAN's in global config:
vlan 10
vlan 20
vlan 30
vlan 40
2. Put your phyical interfaces in each VLAN:
interface range fastethernet0/1 - 6
switchport mode access
switchport access vlan 10
!etc
3. Create the Layer-3 VLAN interfaces for each Layer-2 VLAN:
interface vlan 10
ip address 10.1.10.254 255.255.255.0
4. Create the link between the 7206 & the 3550 and turn on a routing protocol or add static routes to each device (static's defined below with a summary route on the 7206 for the VLAN's on the 3550):
!3550
interface fastethernet0/24
no switchport
ip address 10.255.255.1 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.255.255.2
!7206
interface fastethernet0/0/0
ip address 10.255.255.2 255.255.255.252
!
ip route 10.1.0.0 255.255.0.0 10.255.255.1
5. Finally you need to apply Access Control Lists to each Layer-3 VLAN interface to deny the traffic you don't want allowed between each VLAN:
ip access-list extended VLAN-10-Restrict
deny 10.1.20.0 0.0.0.255 10.1.10.0 0.0.0.255
deny 10.1.30.0 0.0.0.255 10.1.10.0 0.0.0.255
deny 10.1.40.0 0.0.0.255 10.1.10.0 0.0.0.255
permit ip any any
!
interface vlan 10
ip access-group VLAN-10-Restrict out
Obviously all the configuration isn't above but you can apply the same logic.
Zen37's comment about not turning a routing protocol on will prevent communication between the VLAN's is incorrect - whether you trunk'd the VLAN's to the 7206 or not; ACL's are the only way to achive the restrictions you are looking at.
HTH
Andy
1. Create the VLAN's in global config:
vlan 10
vlan 20
vlan 30
vlan 40
2. Put your phyical interfaces in each VLAN:
interface range fastethernet0/1 - 6
switchport mode access
switchport access vlan 10
!etc
3. Create the Layer-3 VLAN interfaces for each Layer-2 VLAN:
interface vlan 10
ip address 10.1.10.254 255.255.255.0
4. Create the link between the 7206 & the 3550 and turn on a routing protocol or add static routes to each device (static's defined below with a summary route on the 7206 for the VLAN's on the 3550):
!3550
interface fastethernet0/24
no switchport
ip address 10.255.255.1 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.255.255.2
!7206
interface fastethernet0/0/0
ip address 10.255.255.2 255.255.255.252
!
ip route 10.1.0.0 255.255.0.0 10.255.255.1
5. Finally you need to apply Access Control Lists to each Layer-3 VLAN interface to deny the traffic you don't want allowed between each VLAN:
ip access-list extended VLAN-10-Restrict
deny 10.1.20.0 0.0.0.255 10.1.10.0 0.0.0.255
deny 10.1.30.0 0.0.0.255 10.1.10.0 0.0.0.255
deny 10.1.40.0 0.0.0.255 10.1.10.0 0.0.0.255
permit ip any any
!
interface vlan 10
ip access-group VLAN-10-Restrict out
Obviously all the configuration isn't above but you can apply the same logic.
Zen37's comment about not turning a routing protocol on will prevent communication between the VLAN's is incorrect - whether you trunk'd the VLAN's to the 7206 or not; ACL's are the only way to achive the restrictions you are looking at.
HTH
Andy
- Thread starter
- #4
- Status
