Link to home
Start Free TrialLog in
Avatar of gevansmdes
gevansmdes

asked on

Cisco VLAN Security

C3750 - 12.2(35)SE

Switch has VLANS

What are several ways I can stop the VLANs from being able to communicate with each other? I do have EIGRP enabled on the switch

Thanks
Portal-Potty#show run
Building configuration...
 
Current configuration : 12936 bytes
!
! Last configuration change at 16:28:56 CDT Mon Nov 17 2008 by kturner
! NVRAM config last updated at 16:29:27 CDT Mon Nov 17 2008 by kturner
!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Buggs
!
clock timezone CDT -6
clock summer-time CDT recurring
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750g-24t
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name buggs.com
!
ip ssh version 2
!
!
no file verify auto
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 3 priority 24576
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
 switchport access vlan 4
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 switchport access vlan 4
 no mdix auto
 spanning-tree portfast
!         
interface GigabitEthernet1/0/3
 description Connection to 6509
 switchport access vlan 3
 no mdix auto
!
interface GigabitEthernet1/0/4
 switchport access vlan 4
 speed 1000
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 switchport access vlan 2
 no mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport access vlan 2
 no mdix auto
 spanning-tree portfast
!
 
!         
interface Vlan1
 description To Pix
 ip address 10.88.0.2 255.255.255.240
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan2
 ip address 10.88.0.17 255.255.255.240
!
interface Vlan3
 ip address 10.88.0.33 255.255.255.240
!
router eigrp 88
 network 10.0.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.80.2.0 255.255.255.0 10.88.0.1
ip route 10.80.224.0 255.255.255.0 10.88.0.1
ip route 10.80.226.0 255.255.255.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40
no ip http server

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of bkepford
bkepford
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gevansmdes
gevansmdes

ASKER

So is this the only two ways to go it? If the VLANs were not in the eigrp would the vlans be able to communicate with each other?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So If I remove eigrp (it's not needed) and also remove the "ip routing" then the vlans will become separate lans correct? Would I have to do anything with this

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.80.2.0 255.255.255.0 10.88.0.1
ip route 10.80.224.0 255.255.255.0 10.88.0.1
ip route 10.80.226.0 255.255.255.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
if I was to remove the "ip route statement"

and only use

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40

then the VLANs would not communicate with each other via Layer 3 correct?

also.. what is the purpose of the commands below?

ip route 0.0.0.0 0.0.0.0 10.88.0.1
ip route 10.89.1.0 255.255.255.0 10.88.0.40

Answer this and I should be good to go.. many thanks for your help
FYI - I plan to make each vlan connect to my firewall  by making sub interfaces on the firewall for each vlan - this way I can use the firewall to control communication instead of acl's on the switch -
Yes that will work and I almost suggested it except then I realized that even on the firewall you will have to create a access control list to block from one IP group to the other and I figure it would be just as easy for you to keep what you had and do the blocking on the switch. Plus, I figured you bought a Cisco 3750 for a reason and didn't want you to have you turn off the Layer 3 portion of the switch if you didn't have to.
 
All said and done either way will work  
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial