Solved

Cisco Vlan routing prevention

Posted on 2012-03-12
4
396 Views
Last Modified: 2012-03-12
Hello Experts,

I am in the process of setting up Router on a stick.  A simple scenario:
1. Cisco Router (x1)
2. 1 Cisco Switch 2960
3. Other brand switches connecting to the Cisco 2960

I would like to know the following
a. I have Vlan 1, 2, 3.   What is the best way to avoid Vlan 2 and 3 from communicating, but Vlan 2 and 3 need to talk to Vlan 1.  (Should I block this via Access-list on the router) or is there an easy way to do it on the switch?

Thank you,
R
0
Comment
Question by:RandallVillalobos
  • 2
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
rowansmith earned 500 total points
ID: 37712978
You will need to use an access list on your router.

I would suggest an inbound access list on VLAN 2 which:
permit vlan2_subnet to vlan1_subnet
deny any any

Open in new window


and an inbound access list on VLAN3 which
permit vlan3_subnet to vlan1_subnet
deny any any

Open in new window


Fo the sake of completeness and security in depth you should also add a acl on VLAN1:
permit vlan1_subnet to vlan2_subnet
permit vlan1_subnet to vlan3_subnet
deny any any

Open in new window


Make sure all your access lists work on an INBOUND principle, do not let any traffic into the router unless it is destined for an allowed network.
0
 

Author Comment

by:RandallVillalobos
ID: 37712980
Thanks for help and assistance.   Can I configure these acl's on a Layer 2 Switch or are they applied on the Router?
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 37713011
No this separation is Layer 3 only.  A Layer 2 switch has no visibility of the IP Addresses.

Your router is providing the IP connectivity between the VLANs.  Even if you had a Layer 3 switch, it still has a routing engine which would perform the same function that you have, (in this case), offloaded to your Cisco Router.
0
 

Author Closing Comment

by:RandallVillalobos
ID: 37713074
Appreciate your help.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Access point 6 54
Restrict RDP Remote Access through SonicWall 3 93
Botnet detection help me please 21 78
P2P and MPLS 3 41
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now