isolate ip network of vlan from other on same port
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-01-2016 03:40 AM
Here is the scenario
we have multiple VLAN's configured as follows.
VLAN 2001 setting
create vlan "vlan2001"
configure vlan vlan2001 tag 2001
configure vlan vlan2001 add ports 21-24 tagged
configure vlan vlan2001 ipaddress 10.0.0.1 255.255.255.0
configure vlan vlan2001 dhcp-address-range 10.0.0.3 - 10.0.0.100
configure vlan vlan2001 dhcp-options default-gateway 10.0.0.1
enable ipforwarding vlan vlan2001
enable dhcp ports 21-24 vlan vlan2001
There are lots of other vlans
for example
create vlan "vlan199"
configure vlan vlan199 tag 199
configure vlan vlan199 add ports 21-24 tagged
configure vlan vlan199 ipaddress 172.16.199.1 255.255.255.0
configure vlan vlan199 dhcp-address-range 172.16.199.2 - 172.16.199.200
configure vlan vlan199 dhcp-options default-gateway 172.16.199.1
enable ipforwarding vlan vlan199
enable dhcp ports 21-24 vlan vlan199
Similiarly we have vlan 101 to 198 with ip 172.16.<101-198>.1 and dhcp range 172.16.<101-198>199.2 - 172.16.<101-198>.200
I want that 172.16.<101-199>.x should not be able to ping 10.0.0.x
How should I do that ?
Thanks.
we have multiple VLAN's configured as follows.
VLAN 2001 setting
create vlan "vlan2001"
configure vlan vlan2001 tag 2001
configure vlan vlan2001 add ports 21-24 tagged
configure vlan vlan2001 ipaddress 10.0.0.1 255.255.255.0
configure vlan vlan2001 dhcp-address-range 10.0.0.3 - 10.0.0.100
configure vlan vlan2001 dhcp-options default-gateway 10.0.0.1
enable ipforwarding vlan vlan2001
enable dhcp ports 21-24 vlan vlan2001
There are lots of other vlans
for example
create vlan "vlan199"
configure vlan vlan199 tag 199
configure vlan vlan199 add ports 21-24 tagged
configure vlan vlan199 ipaddress 172.16.199.1 255.255.255.0
configure vlan vlan199 dhcp-address-range 172.16.199.2 - 172.16.199.200
configure vlan vlan199 dhcp-options default-gateway 172.16.199.1
enable ipforwarding vlan vlan199
enable dhcp ports 21-24 vlan vlan199
Similiarly we have vlan 101 to 198 with ip 172.16.<101-198>.1 and dhcp range 172.16.<101-198>199.2 - 172.16.<101-198>.200
I want that 172.16.<101-199>.x should not be able to ping 10.0.0.x
How should I do that ?
Thanks.
26 REPLIES 26
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-01-2016 10:04 AM
show iproute (end) output so we can see everything.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-01-2016 09:52 AM
* X460-24t.4 # disable ipforwarding vlan199
* X460-24t.5 # show iproute vlan199
Ori Destination Gateway Mtr Flags VLAN Duration
#d 172.16.199.0/24 172.16.199.1 1 U------um--f- vlan199 18d:21h:4m
:23s
Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP
(ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext
(e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2
(is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp
(mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2
(oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM
(r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown
(*) Preferred unicast route (@) Preferred multicast route
(#) Preferred unicast and multicast route
Flags: (B) BlackHole, (b) BFD protection requested, (c) Compressed, (D) Dynamic
(f) Provided to FIB, (G) Gateway, (H) Host Route, (L) Matching LDP LSP
(l) Calculated LDP LSP, (3) L3VPN Route, (m) Multicast, (P) LPM-routing
(p) BFD protection active, (R) Modified, (S) Static, (s) Static LSP
(T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up
MPLS Label: (S) Bottom of Label Stack
Mask distribution:
1 routes at length 24
Route Origin distribution:
1 routes from Direct
Total number of routes = 1
Total number of compressed routes = 0
* X460-24t.6 # enable ipforwarding vlan199
* X460-24t.7 # show iproute vlan199
Ori Destination Gateway Mtr Flags VLAN Duration
#d 172.16.199.0/24 172.16.199.1 1 U------um--f- vlan199 18d:21h:8m
:27s
Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP
(ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext
(e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2
(is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp
(mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2
(oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM
(r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown
(*) Preferred unicast route (@) Preferred multicast route
(#) Preferred unicast and multicast route
Flags: (B) BlackHole, (b) BFD protection requested, (c) Compressed, (D) Dynamic
(f) Provided to FIB, (G) Gateway, (H) Host Route, (L) Matching LDP LSP
(l) Calculated LDP LSP, (3) L3VPN Route, (m) Multicast, (P) LPM-routing
(p) BFD protection active, (R) Modified, (S) Static, (s) Static LSP
(T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up
MPLS Label: (S) Bottom of Label Stack
Mask distribution:
1 routes at length 24
Route Origin distribution:
1 routes from Direct
Total number of routes = 1
Total number of compressed routes = 0
One thing I noticed that on disabling ipforwarding .
ping to DNS server (which is outside the switch) stops and works on enabling ipforwarding .
* X460-24t.5 # show iproute vlan199
Ori Destination Gateway Mtr Flags VLAN Duration
#d 172.16.199.0/24 172.16.199.1 1 U------um--f- vlan199 18d:21h:4m
:23s
Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP
(ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext
(e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2
(is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp
(mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2
(oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM
(r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown
(*) Preferred unicast route (@) Preferred multicast route
(#) Preferred unicast and multicast route
Flags: (B) BlackHole, (b) BFD protection requested, (c) Compressed, (D) Dynamic
(f) Provided to FIB, (G) Gateway, (H) Host Route, (L) Matching LDP LSP
(l) Calculated LDP LSP, (3) L3VPN Route, (m) Multicast, (P) LPM-routing
(p) BFD protection active, (R) Modified, (S) Static, (s) Static LSP
(T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up
MPLS Label: (S) Bottom of Label Stack
Mask distribution:
1 routes at length 24
Route Origin distribution:
1 routes from Direct
Total number of routes = 1
Total number of compressed routes = 0
* X460-24t.6 # enable ipforwarding vlan199
* X460-24t.7 # show iproute vlan199
Ori Destination Gateway Mtr Flags VLAN Duration
#d 172.16.199.0/24 172.16.199.1 1 U------um--f- vlan199 18d:21h:8m
:27s
Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP
(ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext
(e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2
(is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp
(mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2
(oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM
(r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown
(*) Preferred unicast route (@) Preferred multicast route
(#) Preferred unicast and multicast route
Flags: (B) BlackHole, (b) BFD protection requested, (c) Compressed, (D) Dynamic
(f) Provided to FIB, (G) Gateway, (H) Host Route, (L) Matching LDP LSP
(l) Calculated LDP LSP, (3) L3VPN Route, (m) Multicast, (P) LPM-routing
(p) BFD protection active, (R) Modified, (S) Static, (s) Static LSP
(T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up
MPLS Label: (S) Bottom of Label Stack
Mask distribution:
1 routes at length 24
Route Origin distribution:
1 routes from Direct
Total number of routes = 1
Total number of compressed routes = 0
One thing I noticed that on disabling ipforwarding .
ping to DNS server (which is outside the switch) stops and works on enabling ipforwarding .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-01-2016 07:49 AM
show iproute?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-01-2016 07:28 AM
One more thing ,
I did
disable ipforwarding vlan vlan199
I thought , this will prevent PC device with ip 172.16.199.2 to ping any 10.0.0.x or 172.16.<101-198>.x
That did not happen.
I did
disable ipforwarding vlan vlan199
I thought , this will prevent PC device with ip 172.16.199.2 to ping any 10.0.0.x or 172.16.<101-198>.x
That did not happen.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-01-2016 07:21 AM
On my switch
* X460-24t.2 # unconfigure access-list no_voip_access
done!
* X460-24t.2 # unconfigure access-list no_voip_access
Execute the command
egress Acls applied to egress
ingress Acls applied to ingress
No port option .
Anyway , not a problem for me .
* X460-24t.2 # unconfigure access-list no_voip_access
done!
* X460-24t.2 # unconfigure access-list no_voip_access
egress Acls applied to egress
ingress Acls applied to ingress
No port option .
Anyway , not a problem for me .
