VLANS to explicit Subnets on specific ports?

Can you secure VLANS to explicit Subnets on specific ports?

I want to allow only devices on specific ip ranges to connect to the ports that have been allocated to that particular vlan. For example

192.168.50.x – SERVERS – VLAN 10 only (ports 1 to 5 allocated to vlan)I want devices on the 192.168.50.x subnet only to work when physically plugged into these ports
192.168.40.x – Clients – VLAN 20 only  (ports 6 to 10 allocated to vlan) I want devices on the 192.168.40.x subnet only to work when physically plugged into these ports
L-PlateAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Yes & No...
There is no way to ensure network addresses are linked to VLANS....
Except for one thing... The router between VLANS (networks) ,,,
You need to have a router that has a link to VLAN 10 (f.e. 192.168.50.1) and that has a link to VLAN 20 (f.e. 192.168.40.1) with the right addresses.

The default GW of all systems should point to the router on the respective addresses.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
StolsieCommented:
Hi OP

devices will work what ever you plug them into providing you have done proper configuration.
I have an idea of what your getting at.
like above says if you have a network with only switches and no router then devices on Vlan X can only see devices on Vlan X
I'm assuming you'll be using a HP L3 switch.

Vlan interface 10 192.168.50.1/24 will only be able to talk to devices on that Vlan till you enable routing and configure the other Vlan interface.
you can then add VACLs and manage IP access that way.
 
so you can prevent devices accessing it like this.
IP access list ext 10
25 deny IP 192.168.40.0 0.0.0.255 any
30 allow IP any any
Vlan 10
ip access-list 10 out
that will tell the server range it can't communicate with anything on 192.168.40.0/24
but anything else is fair game
<<
PS
my command might not be 100% correct its been a while :)
<<
0
nociSoftware EngineerCommented:
@Stolsie, that will only work with stuff trying to leave the VLAN (f.e. to access the switch), within the VLAN i doubt it will filter.
And then only on this switch if there are other components involved they won't care about these filters.
(Switching is done by MAC address (L2) not IP address, unless routing is involved).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

StolsieCommented:
"Vlan interface 10 192.168.50.1/24 will only be able to talk to devices on that Vlan till you enable routing and configure the other Vlan interface.
 you can then add VACLs and manage IP access that way. "
0
StolsieCommented:
as in remove the routing then Vlan 10 can only talk to devices connected to ports assigned to Vlan 10....
0
nociSoftware EngineerCommented:
And if all devices on that lan use 10.0.0/8 then the switch won't talk, devices amongst themselves still will talk.
0
L-PlateAuthor Commented:
thanks Guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.