2

Network Not work

I have two vlans configured through a multilayer switch and one router with DHCP service. I configured trunk and access ports as shown in the image below.

I need to block traffic between vlan's.

.gif shows that my network currently allow send messages between Vlan10 and Vlan20, but they shouldn't see each other.

How can I block that traffic? Already configured subinterfaces and encap dot1q [vlan number].

Thank you for your help!!

Cisco Packet Tracer File: dropbox.com/s/y7cplt8l6zpv303/v2.pkt?dl=0

Commands used in another network with the same purpose: docs.google.com/document/d/120PfwrPki67Z2gMxoCz8Z6SidulgLCiUVLU-NqVBq3w/edit#

enter image description here

** ROUTER CONFIG
ip dhcp pool 10
 network 172.16.0.0 255.255.255.128
 default-router 172.16.0.1
ip dhcp pool 20
 network 172.17.0.0 255.255.255.128
 default-router 172.17.0.1
ip dhcp pool vlan10
 network 172.16.0.0 255.255.255.128
 default-router 172.16.0.1
ip dhcp pool vlan20
 network 172.17.0.0 255.255.255.128
 default-router 172.17.0.1
!

Router#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        172.116.1.1     YES manual up                    up

FastEthernet0/0.10     172.16.0.1      YES manual up                    up

FastEthernet0/0.20     172.17.0.1      YES manual up                    up

FastEthernet0/1        unassigned      YES unset  administratively down down

Vlan1                  unassigned      YES unset  administratively down down



Router#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------



**** Switch config

interface FastEthernet0/1
 switchport trunk allowed vlan 1-19,21-1005
!
interface FastEthernet0/2
 switchport trunk allowed vlan 1-9,11-1005
!

Switch#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/3, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig0/1, Gig0/2
10   vlan10                           active    
20   vlan20                           active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0
Improve this question
8
  • Liliana, please include the configuration of your switches and router. Most of us don't have packet tracer.
    – Ron Trunk
    Commented Jun 8, 2016 at 0:12
  • I don't see VLANs 20,30,40,50 defined on S_Technologica. I only see VLAN 10. Also, are the VLANs defined on the access switches?
    – Ron Trunk
    Commented Jun 8, 2016 at 0:38
  • It is better if you put the configuration text in your question, so everyone can see it. In Pastebin, all I see is the router. Make sure you have defined all your VLANs on the multilayer switch.
    – Ron Trunk
    Commented Jun 8, 2016 at 1:00
  • Paste the config text directly into the question, not a link to Pastebin.
    – Ron Trunk
    Commented Jun 8, 2016 at 1:06
  • 1
    Sorry I misunderstood you before. You need to apply an access-list on the subinterfaces to filter traffic destined for other VLANS. We need to see correct IP subnets and masks to give you an example. The addresses in your diagram don't make sense (255.255.255.226 is not valid mask).
    – Ron Trunk
    Commented Jun 8, 2016 at 2:10

1 Answer 1

Reset to default
2

You need an access list to block inter-VLAN traffic. There will be one for each subinterface. For example

access-list 10 deny 172.1.0.0 0.0.0.127
access-list 10 deny <vlan 30>
access-list 10 deny <etc>
access-list 10 permit any

interface fa 0/0.10
access-group 10 out

If you've never configured access list before, note the following:

  • The subnet masks in the statement are "wildcard masks." They are the one's complement of a normal mask.

  • You need to add a line in your access list for every VLAN you want to block.

Improve this answer
0

Not the answer you're looking for? Browse other questions tagged or ask your own question.