Routing Between Two VLA Ns

Discussion in 'Cisco' started by Bob Simon, Feb 5, 2007.

  1. Bob Simon

    Bob Simon Guest

    Tomorrow morning I need to set up routing between two VLANs on a 2950.
    Both VLANs need access to outside but traffic is not allowed to flow
    between them. The router is a 3745.

    This will be my first time doing this so I'd appreciate it if someone
    would check my configs and verify that I'm not missing anything.

    Here's my config for the switch:
    int f0/1
    switchport mode trunk
    switchport access vlan 1
    switchport trunk native vlan 1

    Here's my config for the router:
    int f0/0
    no ip address
    int f0/0.1
    encapsulation dot1q 1
    ip address 192.168.195.25 255.255.255.252
    int f0/0.2
    encapsulation dot1q 2
    ip address 172.16.98.1 255.255.255.0

    Here's how I propose to prevent access from one VLAN to the other.
    Will this work? Does the access-group get applied to the major
    interface or the subinterface?

    ip access-list extended no_route
    deny ip 192.168.195.0 0.0.0.255 172.16.98.0 0.0.0.255
    deny ip 172.16.98.0 0.0.0.255 192.168.195.0 0.0.0.255
    permit ip any any

    int f0/0
    ip access-group no_route in
    Bob Simon, Feb 5, 2007
    #1
    1. Advertising

  2. Bob Simon

    Guest

    On Feb 4, 5:50 pm, Bob Simon <> wrote:
    > Tomorrow morning I need to set up routing between two VLANs on a 2950.
    > Both VLANs need access to outside but traffic is not allowed to flow
    > between them. The router is a 3745.
    >
    > This will be my first time doing this so I'd appreciate it if someone
    > would check my configs and verify that I'm not missing anything.
    >
    > Here's my config for the switch:
    > int f0/1
    > switchport mode trunk
    > switchport access vlan 1
    > switchport trunk native vlan 1
    >
    > Here's my config for the router:
    > int f0/0
    > no ip address
    > int f0/0.1
    > encapsulation dot1q 1
    > ip address 192.168.195.25 255.255.255.252
    > int f0/0.2
    > encapsulation dot1q 2
    > ip address 172.16.98.1 255.255.255.0
    >
    > Here's how I propose to prevent access from one VLAN to the other.
    > Will this work? Does the access-group get applied to the major
    > interface or the subinterface?
    >
    > ip access-list extended no_route
    > deny ip 192.168.195access-group no_route in.0 0.0.0.255 172.16.98.0 0.0.0.255
    > deny ip 172.16.98.0 0.0.0.255 192.168.195.0 0.0.0.255
    > permit ip any any



    Your configuration looks pretty good. One question, is the mask on
    f0/0.1 really a /30? If so, you'll want to change your ACL a little.
    (see below) Personally I like to hard set my speed/duplex settings,
    but that's just me. This is how I would configure things:

    [switch]
    int f0/1
    switchport mode trunk
    duplex full
    speed 100

    [router]
    int f0/0
    full-duplex
    speed 100
    no ip address
    int f0/0.1
    encapsulation dot1q 1
    ip address 192.168.195.25 255.255.255.252
    ip access-group no_route in
    int f0/0.2
    encapsulation dot1q 2
    ip address 172.16.98.1 255.255.255.0
    ip access-group no_route in

    ip access-list extended no_route
    deny ip 192.168.195.24 0.0.0.3 172.16.98.0 0.0.0.255
    deny ip 172.16.98.0 0.0.0.255 192.168.195.24 0.0.0.3
    permit ip any any

    Hope this helps,
    -Dan
    , Feb 5, 2007
    #2
    1. Advertising

  3. Bob Simon

    Bob Simon Guest

    On 4 Feb 2007 23:02:30 -0800, wrote:

    >On Feb 4, 5:50 pm, Bob Simon <> wrote:
    >> Tomorrow morning I need to set up routing between two VLANs on a 2950.
    >> Both VLANs need access to outside but traffic is not allowed to flow
    >> between them. The router is a 3745.
    >>
    >> This will be my first time doing this so I'd appreciate it if someone
    >> would check my configs and verify that I'm not missing anything.
    >>
    >> Here's my config for the switch:
    >> int f0/1
    >> switchport mode trunk
    >> switchport access vlan 1
    >> switchport trunk native vlan 1
    >>
    >> Here's my config for the router:
    >> int f0/0
    >> no ip address
    >> int f0/0.1
    >> encapsulation dot1q 1
    >> ip address 192.168.195.25 255.255.255.252
    >> int f0/0.2
    >> encapsulation dot1q 2
    >> ip address 172.16.98.1 255.255.255.0
    >>
    >> Here's how I propose to prevent access from one VLAN to the other.
    >> Will this work? Does the access-group get applied to the major
    >> interface or the subinterface?
    >>
    >> ip access-list extended no_route
    >> deny ip 192.168.195access-group no_route in.0 0.0.0.255 172.16.98.0 0.0.0.255
    >> deny ip 172.16.98.0 0.0.0.255 192.168.195.0 0.0.0.255
    >> permit ip any any

    >
    >
    >Your configuration looks pretty good. One question, is the mask on
    >f0/0.1 really a /30? If so, you'll want to change your ACL a little.
    >(see below) Personally I like to hard set my speed/duplex settings,
    >but that's just me. This is how I would configure things:
    >
    >[switch]
    >int f0/1
    >switchport mode trunk
    >duplex full
    >speed 100
    >
    >[router]
    >int f0/0
    >full-duplex
    >speed 100
    >no ip address
    >int f0/0.1
    >encapsulation dot1q 1
    >ip address 192.168.195.25 255.255.255.252
    >ip access-group no_route in
    >int f0/0.2
    >encapsulation dot1q 2
    >ip address 172.16.98.1 255.255.255.0
    >ip access-group no_route in
    >
    >ip access-list extended no_route
    >deny ip 192.168.195.24 0.0.0.3 172.16.98.0 0.0.0.255
    >deny ip 172.16.98.0 0.0.0.255 192.168.195.24 0.0.0.3
    >permit ip any any
    >
    >Hope this helps,
    >-Dan


    Thank you for pointing out the discrepency between the IP address mask
    and the ACL wildcard mask.

    Can you please explain why the access-group statement is applied to
    the sub-interfaces instead of f0/0?
    Bob Simon, Feb 5, 2007
    #3
  4. Bob Simon

    J.Cottingim Guest

    On Feb 5, 6:16 am, Bob Simon <> wrote:
    > On 4 Feb 2007 23:02:30 -0800, wrote:
    >
    >
    >
    > >On Feb 4, 5:50 pm, Bob Simon <> wrote:
    > >> Tomorrow morning I need to set up routing between two VLANs on a 2950.
    > >> Both VLANs need access to outside but traffic is not allowed to flow
    > >> between them. The router is a 3745.

    >
    > >> This will be my first time doing this so I'd appreciate it if someone
    > >> would check my configs and verify that I'm not missing anything.

    >
    > >> Here's my config for the switch:
    > >> int f0/1
    > >> switchport mode trunk
    > >> switchport access vlan 1
    > >> switchport trunk native vlan 1

    >
    > >> Here's my config for the router:
    > >> int f0/0
    > >> no ip address
    > >> int f0/0.1
    > >> encapsulation dot1q 1
    > >> ip address 192.168.195.25 255.255.255.252
    > >> int f0/0.2
    > >> encapsulation dot1q 2
    > >> ip address 172.16.98.1 255.255.255.0

    >
    > >> Here's how I propose to prevent access from one VLAN to the other.
    > >> Will this work? Does the access-group get applied to the major
    > >> interface or the subinterface?

    >
    > >> ip access-list extended no_route
    > >> deny ip 192.168.195access-group no_route in.0 0.0.0.255 172.16.98.0 0.0.0.255
    > >> deny ip 172.16.98.0 0.0.0.255 192.168.195.0 0.0.0.255
    > >> permit ip any any

    >
    > >Your configuration looks pretty good. One question, is the mask on
    > >f0/0.1 really a /30? If so, you'll want to change your ACL a little.
    > >(see below) Personally I like to hard set my speed/duplex settings,
    > >but that's just me. This is how I would configure things:

    >
    > >[switch]
    > >int f0/1
    > >switchport mode trunk
    > >duplex full
    > >speed 100

    >
    > >[router]
    > >int f0/0
    > >full-duplex
    > >speed 100
    > >no ip address
    > >int f0/0.1
    > >encapsulation dot1q 1
    > >ip address 192.168.195.25 255.255.255.252
    > >ip access-group no_route in
    > >int f0/0.2
    > >encapsulation dot1q 2
    > >ip address 172.16.98.1 255.255.255.0
    > >ip access-group no_route in

    >
    > >ip access-list extended no_route
    > >deny ip 192.168.195.24 0.0.0.3 172.16.98.0 0.0.0.255
    > >deny ip 172.16.98.0 0.0.0.255 192.168.195.24 0.0.0.3
    > >permit ip any any

    >
    > >Hope this helps,
    > >-Dan

    >
    > Thank you for pointing out the discrepency between the IP address mask
    > and the ACL wildcard mask.
    >
    > Can you please explain why the access-group statement is applied to
    > the sub-interfaces instead of f0/0?


    The ACL needs to be applied to the interface that will "see" the
    traffic.
    f0/0 acts only as a layer ONE device in this case - and therefore will
    not "see" the layer THREE traffic you are trying to filter.

    Try to think of the sub-interfaces as "real" interfaces. This makes it
    easier to think about.
    J.Cottingim, Feb 5, 2007
    #4
  5. Bob Simon

    Bob Simon Guest

    On 5 Feb 2007 07:14:43 -0800, "J.Cottingim" <>
    wrote:

    >On Feb 5, 6:16 am, Bob Simon <> wrote:
    >> On 4 Feb 2007 23:02:30 -0800, wrote:
    >>
    >>
    >>
    >> >On Feb 4, 5:50 pm, Bob Simon <> wrote:
    >> >> Tomorrow morning I need to set up routing between two VLANs on a 2950.
    >> >> Both VLANs need access to outside but traffic is not allowed to flow
    >> >> between them. The router is a 3745.

    >>
    >> >> This will be my first time doing this so I'd appreciate it if someone
    >> >> would check my configs and verify that I'm not missing anything.

    >>
    >> >> Here's my config for the switch:
    >> >> int f0/1
    >> >> switchport mode trunk
    >> >> switchport access vlan 1
    >> >> switchport trunk native vlan 1

    >>
    >> >> Here's my config for the router:
    >> >> int f0/0
    >> >> no ip address
    >> >> int f0/0.1
    >> >> encapsulation dot1q 1
    >> >> ip address 192.168.195.25 255.255.255.252
    >> >> int f0/0.2
    >> >> encapsulation dot1q 2
    >> >> ip address 172.16.98.1 255.255.255.0

    >>
    >> >> Here's how I propose to prevent access from one VLAN to the other.
    >> >> Will this work? Does the access-group get applied to the major
    >> >> interface or the subinterface?

    >>
    >> >> ip access-list extended no_route
    >> >> deny ip 192.168.195access-group no_route in.0 0.0.0.255 172.16.98.0 0.0.0.255
    >> >> deny ip 172.16.98.0 0.0.0.255 192.168.195.0 0.0.0.255
    >> >> permit ip any any

    >>
    >> >Your configuration looks pretty good. One question, is the mask on
    >> >f0/0.1 really a /30? If so, you'll want to change your ACL a little.
    >> >(see below) Personally I like to hard set my speed/duplex settings,
    >> >but that's just me. This is how I would configure things:

    >>
    >> >[switch]
    >> >int f0/1
    >> >switchport mode trunk
    >> >duplex full
    >> >speed 100

    >>
    >> >[router]
    >> >int f0/0
    >> >full-duplex
    >> >speed 100
    >> >no ip address
    >> >int f0/0.1
    >> >encapsulation dot1q 1
    >> >ip address 192.168.195.25 255.255.255.252
    >> >ip access-group no_route in
    >> >int f0/0.2
    >> >encapsulation dot1q 2
    >> >ip address 172.16.98.1 255.255.255.0
    >> >ip access-group no_route in

    >>
    >> >ip access-list extended no_route
    >> >deny ip 192.168.195.24 0.0.0.3 172.16.98.0 0.0.0.255
    >> >deny ip 172.16.98.0 0.0.0.255 192.168.195.24 0.0.0.3
    >> >permit ip any any

    >>
    >> >Hope this helps,
    >> >-Dan

    >>
    >> Thank you for pointing out the discrepency between the IP address mask
    >> and the ACL wildcard mask.
    >>
    >> Can you please explain why the access-group statement is applied to
    >> the sub-interfaces instead of f0/0?

    >
    >The ACL needs to be applied to the interface that will "see" the
    >traffic.
    >f0/0 acts only as a layer ONE device in this case - and therefore will
    >not "see" the layer THREE traffic you are trying to filter.
    >
    >Try to think of the sub-interfaces as "real" interfaces. This makes it
    >easier to think about.



    Thank you. I see some other commands that are currently associated
    with F0/0 that would seem to fall into this category:
    ip nat inside
    ip nbar protocol-discovery
    service-policy input PMap_Vendor

    I presume these should all be moved to one of the sub-interfaces as
    well. Is that correct?
    Bob Simon, Feb 5, 2007
    #5
  6. Bob Simon

    Thrill5 Guest

    Yes. Having them on the fa interface doesn't do anything.

    Scott
    "Bob Simon" <> wrote in message
    news:...
    > On 5 Feb 2007 07:14:43 -0800, "J.Cottingim" <>
    > wrote:
    >
    >>On Feb 5, 6:16 am, Bob Simon <> wrote:
    >>> On 4 Feb 2007 23:02:30 -0800, wrote:
    >>>
    >>>
    >>>
    >>> >On Feb 4, 5:50 pm, Bob Simon <> wrote:
    >>> >> Tomorrow morning I need to set up routing between two VLANs on a
    >>> >> 2950.
    >>> >> Both VLANs need access to outside but traffic is not allowed to flow
    >>> >> between them. The router is a 3745.
    >>>
    >>> >> This will be my first time doing this so I'd appreciate it if someone
    >>> >> would check my configs and verify that I'm not missing anything.
    >>>
    >>> >> Here's my config for the switch:
    >>> >> int f0/1
    >>> >> switchport mode trunk
    >>> >> switchport access vlan 1
    >>> >> switchport trunk native vlan 1
    >>>
    >>> >> Here's my config for the router:
    >>> >> int f0/0
    >>> >> no ip address
    >>> >> int f0/0.1
    >>> >> encapsulation dot1q 1
    >>> >> ip address 192.168.195.25 255.255.255.252
    >>> >> int f0/0.2
    >>> >> encapsulation dot1q 2
    >>> >> ip address 172.16.98.1 255.255.255.0
    >>>
    >>> >> Here's how I propose to prevent access from one VLAN to the other.
    >>> >> Will this work? Does the access-group get applied to the major
    >>> >> interface or the subinterface?
    >>>
    >>> >> ip access-list extended no_route
    >>> >> deny ip 192.168.195access-group no_route in.0 0.0.0.255 172.16.98.0
    >>> >> 0.0.0.255
    >>> >> deny ip 172.16.98.0 0.0.0.255 192.168.195.0 0.0.0.255
    >>> >> permit ip any any
    >>>
    >>> >Your configuration looks pretty good. One question, is the mask on
    >>> >f0/0.1 really a /30? If so, you'll want to change your ACL a little.
    >>> >(see below) Personally I like to hard set my speed/duplex settings,
    >>> >but that's just me. This is how I would configure things:
    >>>
    >>> >[switch]
    >>> >int f0/1
    >>> >switchport mode trunk
    >>> >duplex full
    >>> >speed 100
    >>>
    >>> >[router]
    >>> >int f0/0
    >>> >full-duplex
    >>> >speed 100
    >>> >no ip address
    >>> >int f0/0.1
    >>> >encapsulation dot1q 1
    >>> >ip address 192.168.195.25 255.255.255.252
    >>> >ip access-group no_route in
    >>> >int f0/0.2
    >>> >encapsulation dot1q 2
    >>> >ip address 172.16.98.1 255.255.255.0
    >>> >ip access-group no_route in
    >>>
    >>> >ip access-list extended no_route
    >>> >deny ip 192.168.195.24 0.0.0.3 172.16.98.0 0.0.0.255
    >>> >deny ip 172.16.98.0 0.0.0.255 192.168.195.24 0.0.0.3
    >>> >permit ip any any
    >>>
    >>> >Hope this helps,
    >>> >-Dan
    >>>
    >>> Thank you for pointing out the discrepency between the IP address mask
    >>> and the ACL wildcard mask.
    >>>
    >>> Can you please explain why the access-group statement is applied to
    >>> the sub-interfaces instead of f0/0?

    >>
    >>The ACL needs to be applied to the interface that will "see" the
    >>traffic.
    >>f0/0 acts only as a layer ONE device in this case - and therefore will
    >>not "see" the layer THREE traffic you are trying to filter.
    >>
    >>Try to think of the sub-interfaces as "real" interfaces. This makes it
    >>easier to think about.

    >
    >
    > Thank you. I see some other commands that are currently associated
    > with F0/0 that would seem to fall into this category:
    > ip nat inside
    > ip nbar protocol-discovery
    > service-policy input PMap_Vendor
    >
    > I presume these should all be moved to one of the sub-interfaces as
    > well. Is that correct?
    Thrill5, Feb 6, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pete Mainwaring

    Re: Routing between two switches?

    Pete Mainwaring, Apr 1, 2004, in forum: Cisco
    Replies:
    0
    Views:
    428
    Pete Mainwaring
    Apr 1, 2004
  2. Jonathan
    Replies:
    13
    Views:
    8,438
    Jonathan
    Jul 26, 2004
  3. zher
    Replies:
    2
    Views:
    8,964
  4. Christoph Gartmann

    Routing between two IP networks on same LAN

    Christoph Gartmann, Dec 6, 2004, in forum: Cisco
    Replies:
    4
    Views:
    22,246
    Walter Roberson
    Dec 7, 2004
  5. J
    Replies:
    0
    Views:
    715
Loading...

Share This Page