Header Only - DO NOT REMOVE - Extreme Networks

Alternative method to using IP Forwarding?


We have an Extreme switch that has the following vlans.

vlan1 switch interface is 192.168.10.4/24
vlan2 switch interface is 192.168.50.240/22 (so hosts are 48.0 through 51.255)

vlan1 has ipforwarding enabled but vlan2 does not.

We need hosts that are on vlan2 to communicate with hosts on vlan1 and vice versa. The main problem is that we understand we can solve this by enabling ipforwarding on vlan2, but we don't want to do this if there is any other possible way. The point of vlans is segregation and we would just be removing that if we have ipforwarding enabled on both wouldn't we??

Is there any other possible method to get traffic between even just a couple hosts from each vlan to talk? Maybe something more limited than a broad brush of ipforwarding and secure etc. ?

6 replies

Userlevel 3
vlans are to separate broadcast traffic, and they do ..

if you want traffic to go from one vlan to an other you will have to have routing at some point.

in extreme "enable ipforwarding" is just turning on Routing between vlans

if you want security, you can use an ACL
Turning ipforwading on would not impact your multicast segregation, which is half the battle. Why is security such a concern? Is it industry or government related? Perhaps you could do something with static routes. Or enable ipforwading then lock it down with an ACL
David Rahn wrote:

vlans are to separate broadcast traffic, and they do ..

if you want traffic to go from one vlan to an other you will have to have routing at some point.

in extreme "enable ipforwarding" is just turning on Routing between vlans

if you want security, you can use an ACL

You beat me by 5 seconds cause I had to flip my brauts.
It is government. But let me make sure I understand... If I enable ipforwarding between these two vlans, there is no downside to doing that? We still have separate broadcast traffic for them etc.
Correct, broadcast would still be separate. The down side, like the upside is that you then route traffic from one vlan to the other. But if you want to get from one to the other you have no choice. An ACL to only allow certain traffic might be your best bet to keep things locked down.
Userlevel 7
If you are fine with slow performance communication between a few specific end systems in each of the VLANs, you can use a firewall to route and filter between them. A switch is designed to allow line rate forwarding between end systems, and can do some filtering as well. A firewall is designed to filter traffic, and do some forwarding as well.

Reply