Alternative method to using IP Forwarding?

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
We have an Extreme switch that has the following vlans.

vlan1 switch interface is 192.168.10.4/24
vlan2 switch interface is 192.168.50.240/22      (so hosts are 48.0 through 51.255)


vlan1 has ipforwarding enabled but vlan2 does not. 

We need hosts that are on vlan2 to communicate with hosts on vlan1 and vice versa.  The main problem is that we understand we can solve this by enabling ipforwarding on vlan2, but we don't want to do this if there is any other possible way.  The point of vlans is segregation and we would just be removing that if we have ipforwarding enabled on both wouldn't we??

Is there any other possible method to get traffic between even just a couple hosts from each vlan to talk?  Maybe something more limited than a broad brush of ipforwarding and secure etc.  ?
Photo of Derek Mayberry

Derek Mayberry

  • 150 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of David Rahn

David Rahn

  • 1,036 Points 1k badge 2x thumb

vlans are to separate broadcast traffic, and they do ..

if you want traffic to go from one vlan to an other you will have to have routing at some point.

in extreme "enable ipforwarding" is just turning on Routing between vlans

if you want security, you can use an ACL




Photo of David Coglianese

David Coglianese, Embassador

  • 7,208 Points 5k badge 2x thumb
You beat me by 5 seconds cause I had to flip my brauts.
Photo of David Coglianese

David Coglianese, Embassador

  • 7,208 Points 5k badge 2x thumb
Turning ipforwading on would not impact your multicast segregation, which is half the battle.

Why is security such a concern? Is it industry or government related?

Perhaps you could do something with static routes. Or enable ipforwading then lock it down with an ACL
Photo of Derek Mayberry

Derek Mayberry

  • 150 Points 100 badge 2x thumb
It is government.  But let me make sure I understand... If I enable ipforwarding between these two vlans, there is no downside to doing that?  We still have separate broadcast traffic for them etc.  
Photo of David Coglianese

David Coglianese, Embassador

  • 7,208 Points 5k badge 2x thumb
Correct, broadcast would still be separate.

The down side, like the upside is that you then route traffic from one vlan to the other. But if you want to get from one to the other you have no choice. An ACL to only allow certain traffic might be your best bet to keep things locked down.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,772 Points 10k badge 2x thumb
If you are fine with slow performance communication between a few specific end systems in each of the VLANs, you can use a firewall to route and filter between them. A switch is designed to allow line rate forwarding between end systems, and can do some filtering as well. A firewall is designed to filter traffic, and do some forwarding as well.