cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
xucraig
New Contributor

NetVanta 1534 - Blocking InterVLAN Traffic

Good morning,

I've just introduced a NetVanta 1534 into my network and moved all of my VLANs off of my 3448 onto the 1534.  My 1534 is running R10.7.0.  VLAN is used for management, while my primary VLAN for our office is VLAN 10.  We have a number of other VLANs.  Right now, gigabit-switchports 1-23 are set up with switchport access vlan 10, while 24 (to the 3448) is set up with switchport access vlan 1. Ports 25 and 26 are set up with switchport trunk native vlan 10 as those two ports are used for connectivity to my other two switches (Dell 2824).

My primary goal is preventing all of the VLANs from being able to communicate with vlan 10.  On the 3448, I just created firewall rules to do this and it worked great, but we need better performance (gigabit) in between some VLANs, hence the installation of the 1534.

I tried creating ACLs, but that didn't work.  I also found this doc referencing ip access-group, but I've tried applying it to both vlan interfaces and switchport interfaces and it comes back as unrecognized.  I also found this thread referencing the same command, but it's a year old.  Has the command been deprecated in newer revisions, or am I missing something?

I'd appreciate any help you can offer. Please let me know if you need any additional information.

thanks

craig

Labels (1)
Tags (3)
0 Kudos
7 Replies
jayh
Honored Contributor
Honored Contributor

Re: NetVanta 1534 - Blocking InterVLAN Traffic

If you want to completely disable inter-VLAN routing, you can enter the command no ip routing and configure an IP address only on your management VLAN interface.  Use ip default-gateway w.x.y.z to route management traffic instead of ip route 0.0.0.0 0.0.0.0 w.x.y.z .


If you need IP routing on this switch for other purposes, just don't put an IP address on the VLAN 10 interface.  For that matter you don't need interface vlan 10 at all.

ACLs should also work, or you could put VLAN 10 into a different VRF but that's getting kind of extreme.

xucraig
New Contributor

Re: NetVanta 1534 - Blocking InterVLAN Traffic

Thanks jayh,

Are you able to explain the ACL method?  I've been trying, and I can't figure out how to actually apply them like I did on the 3448 (inside security zones).  There are some servers in each VLAN that all VLANs need access to, so I was hoping just to be able to re-create the settings I had on my 3448 on the 1534. 

Is what I'm trying to do even possible?

thanks for your help

craig

jayh
Honored Contributor
Honored Contributor

Re: NetVanta 1534 - Blocking InterVLAN Traffic

On every interface other than VLAN 10 that has a configured IP address, put it in a policy-class that either denies or discards traffic for the VLAN 10 subnet.  On the VLAN 10 interface, put it in a class that denies or discards all IP traffic.

ACLs are processed in order, so the deny has to come before a statement that would allow it in the list.

xucraig
New Contributor

Re: NetVanta 1534 - Blocking InterVLAN Traffic

When I try to apply the ip policy-class command on int vlan 10, I get an Unrecognized Command response.  Does the 1534 support policy-classes?

craig

jayh
Honored Contributor
Honored Contributor

Re: NetVanta 1534 - Blocking InterVLAN Traffic


xucraig wrote:



When I try to apply the ip policy-class command on int vlan 10, I get an Unrecognized Command response.  Does the 1534 support policy-classes?


Depending on the firmware revision and whether the box supports IPv6, it may be just policy-class and not ip policy-class.

xucraig
New Contributor

Re: NetVanta 1534 - Blocking InterVLAN Traffic

jayh,

I'm thinking this unit doesn't have that capability.  I'm not seeing policy-class or ip policy-class anywhere.

bummer.

Thanks for all of your help.

craig

Anonymous
Not applicable

Re: NetVanta 1534 - Blocking InterVLAN Traffic

:

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi