Disable inter vlan routing

Post Reply
mdhussainvlr
Member
Posts: 133
Joined: 13 Nov 2017 01:42

Disable inter vlan routing

Post by mdhussainvlr » 15 Apr 2018 14:56

Hi,

I having vlan-2222 for AP
vlan -901 for IPTV clients

I want to disable traffic coming from vlan 2222 to vlan 901

As of now I can able to reach 10.45.0.5(interface of vlan 901) in vlan 2222.what can I do ??

or should I need to make policy ?

mdhussainvlr
Member
Posts: 133
Joined: 13 Nov 2017 01:42

Re: Disable inter vlan routing

Post by mdhussainvlr » 15 Apr 2018 14:58


! Chassis:
! Configuration:
configuration error-file-limit 2
! Capability Manager:
! Multi-Chassis:
! Virtual Flow Control:
! LFP:
! Interface:
! Port_Manager:
! Link Aggregate:
linkagg lacp agg 2 size 2 admin-state enable
linkagg lacp agg 2 actor admin-key 21
linkagg lacp agg 3 size 2 admin-state enable
linkagg lacp agg 3 actor admin-key 31
linkagg lacp agg 4 size 2 admin-state enable
linkagg lacp agg 4 actor admin-key 41
linkagg lacp agg 5 size 2 admin-state enable
linkagg lacp agg 5 actor admin-key 51
linkagg lacp agg 6 size 2 admin-state enable
linkagg lacp agg 6 actor admin-key 61
linkagg lacp agg 7 size 2 admin-state enable
linkagg lacp agg 7 actor admin-key 71
linkagg lacp agg 8 size 2 admin-state enable
linkagg lacp agg 8 actor admin-key 81
linkagg lacp agg 9 size 2 admin-state enable
linkagg lacp agg 9 actor admin-key 91
linkagg lacp agg 10 size 2 admin-state enable
linkagg lacp agg 10 actor admin-key 101
linkagg lacp agg 11 size 2 admin-state enable
linkagg lacp agg 11 actor admin-key 121
linkagg lacp port 1/1/1 actor admin-key 21
linkagg lacp port 1/1/2 actor admin-key 31
linkagg lacp port 1/1/3 actor admin-key 41
linkagg lacp port 1/1/4 actor admin-key 51
linkagg lacp port 1/1/5 actor admin-key 61
linkagg lacp port 1/1/6 actor admin-key 71
linkagg lacp port 1/1/7 actor admin-key 81
linkagg lacp port 1/1/8 actor admin-key 91
linkagg lacp port 1/1/9 actor admin-key 101
linkagg lacp port 1/1/10 actor admin-key 121
linkagg lacp port 2/1/1 actor admin-key 21
linkagg lacp port 2/1/2 actor admin-key 31
linkagg lacp port 2/1/3 actor admin-key 41
linkagg lacp port 2/1/4 actor admin-key 51
linkagg lacp port 2/1/5 actor admin-key 61
linkagg lacp port 2/1/6 actor admin-key 71
linkagg lacp port 2/1/7 actor admin-key 81
linkagg lacp port 2/1/8 actor admin-key 91
linkagg lacp port 2/1/9 actor admin-key 101
linkagg lacp port 2/1/10 actor admin-key 121
! VLAN:
vlan 1 admin-state disable
vlan 851-860 admin-state enable
vlan 901 admin-state enable
vlan 903-904 admin-state enable
vlan 1000 admin-state enable
vlan 1000 name "MGMT"
vlan 1002 admin-state enable
vlan 1100-1113 admin-state enable
vlan 1100 name "AV-SSID-TOUCHPANEL"
vlan 1201-1249 admin-state enable
vlan 1301-1349 admin-state enable
vlan 1401-1449 admin-state enable
vlan 1501-1549 admin-state enable
vlan 1601-1649 admin-state enable
vlan 1701-1749 admin-state enable
vlan 1777 admin-state enable
vlan 1777 name "Lounge"
vlan 1999 admin-state enable
vlan 1999 name "Room-booking"
vlan 2222 admin-state enable
vlan 2222 name "wlan-ctrlr"
vlan 851 members port 1/1/13-14 tagged
vlan 851 members port 2/1/17 tagged
vlan 851 members linkagg 8 tagged
vlan 852 members port 1/1/1 tagged
vlan 852 members port 1/1/13-14 tagged
vlan 852 members linkagg 2 tagged
vlan 853 members port 1/1/13-14 tagged
vlan 853 members linkagg 3 tagged
vlan 854 members port 1/1/3 tagged
vlan 854 members port 1/1/13-14 tagged
vlan 854 members linkagg 4 tagged
vlan 855 members port 1/1/13-14 tagged
vlan 855 members linkagg 5 tagged
vlan 856 members port 1/1/13-14 tagged
vlan 856 members linkagg 6 tagged
vlan 857 members port 1/1/13-14 tagged
vlan 857 members linkagg 7 tagged
vlan 858 members port 1/1/13-14 tagged
vlan 858 members linkagg 9 tagged
vlan 859 members port 1/1/13-14 tagged
vlan 859 members linkagg 10 tagged
vlan 860 members port 1/1/13-14 tagged
vlan 860 members linkagg 11 tagged
vlan 901 members port 1/1/1 tagged
vlan 901 members port 1/1/3 tagged
vlan 901 members port 1/1/15 tagged
vlan 901 members linkagg 2-9 tagged
vlan 903 members port 1/1/15 tagged
vlan 904 members port 1/1/16 tagged
vlan 904 members linkagg 9 tagged
vlan 1000 members port 1/1/1 tagged
vlan 1000 members port 1/1/3 tagged
vlan 1000 members port 1/1/11-13 tagged
vlan 1000 members port 1/1/16 tagged
vlan 1000 members port 2/1/17 tagged
vlan 1000 members linkagg 2-11 tagged
vlan 2222 members port 1/1/1 tagged
vlan 2222 members port 1/1/3 tagged
vlan 2222 members port 1/1/13 tagged
vlan 2222 members port 1/1/15 tagged
vlan 2222 members linkagg 2-11 tagged



! DA-UNP:
! Bridging:
! Port Mirroring:
! Port Mapping:
! IP:
ip interface "vlan-904" address 192.168.20.97 mask 255.255.255.0 vlan 904 ifindex 1
ip interface "vlan-1000" address 10.10.0.254 mask 255.255.255.0 vlan 1000 ifindex 2
ip interface "vlan-2222" address 10.0.0.245 mask 255.255.248.0 vlan 2222 ifindex 3
ip interface "vlan-903" address 10.238.2.119 mask 255.224.0.0 vlan 903 ifindex 4
ip interface "vlan-901" address 10.45.0.1 mask 255.255.252.0 vlan 901 ifindex 12
! IPv6:
! IPSec:
! IPMS:
ip multicast admin-state enable
ip multicast querying enable
ip multicast spoofing enable
ip multicast flood-unknown disable
ip multicast vlan 903 querier-forwarding enable
ip multicast vlan 903 flood-unknown enable
! AAA:
aaa authentication default "local"
aaa authentication console "local"
aaa authentication telnet "local"
aaa authentication ftp "local"
aaa authentication http "local"
aaa authentication ssh "local"
aaa tacacs command-authorization disable
! NTP:
! QOS:
qos trust-ports
qos apply
! Policy Manager:
! VLAN Stacking:
! ERP:
! MVRP:
! LLDP:
! UDLD:
! Server Load Balance:
! High Availability Vlan:
! Session Manager:
session cli timeout 30000
session prompt default "HI_Guest_Core"
session login-timeout 300
! Web:
! Trap Manager:
! Health Monitor:
! System Service:
! SNMP:
! BFD:
! IP Route Manager:
ip static-route 0.0.0.0/0 gateway 10.45.0.5 metric 1
! VRRP:
ip load vrrp
! UDP Relay:
ip helper per-vlan-only
! RIP:
! OSPF:
! IP Multicast:
ip load pim
ip pim sparse admin-state disable
ip pim dense admin-state disable
ipv6 pim sparse admin-state disable
ipv6 pim dense admin-state disable
! DVMRP:
ip load dvmrp
ip dvmrp interface "vlan-904"
ip dvmrp interface "vlan-903"
ip dvmrp interface "vlan-901"
ip dvmrp admin-state enable
! IPMR:
! RIPng:
! OSPF3:
! BGP:
! ISIS:
! Netsec:
! Module:
! LAN Power:
! RDP:
! DHL:
! Ethernet-OAM:
! SAA:
! SPB-ISIS:
no spb isis graceful-restart
spb isis graceful-restart helper disable
! SVCMGR:
! LDP:
! EVB:
! APP-FINGERPRINT:
! FCOE:
! QMR:
! OPENFLOW:
! Dynamic auto-fabric:
! SIP Snooping:
! DHCP Server:
! DHCPv6 Relay:
! DHCPv6 Server:
! DHCP Message Service:
! DHCP Active Lease Service:
! Virtual Chassis Split Protection:
! DHCP Snooping:
! APP-MONITORING:
! Loopback Detection:
! VM-SNOOPING:
! PPPOE-IA:
HI_Guest_Core
HI_Guest_Core
HI_Guest_Core
HI_Guest_Core
HI_Guest_Core
HI_Guest_Core exit
logout

sputniki
Member
Posts: 32
Joined: 27 Jan 2010 10:35

Re: Disable inter vlan routing

Post by sputniki » 30 May 2018 04:52

This is default behaviour for ip interface as described in "Network Configuration Guide", Chapter 15: "Configuring an IP Interface".

mattstover
Member
Posts: 23
Joined: 13 Mar 2014 12:48

Re: Disable inter vlan routing

Post by mattstover » 09 Jun 2018 15:03

You might need to run that vlan through your firewall to achieve what you are wanting. ip interfaces always route together on the router. Perhaps doing away with the 0.0.0.0 gateway and have specific static routes for each subnet with a purposely written bad route to 901 from 2222 might be a sorta work around. I wouldn't do it.
Network Engineer, Director

User avatar
benny
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 749
Joined: 20 Oct 2007 14:51
Contact:

Re: Disable inter vlan routing

Post by benny » 12 Jun 2018 06:59

If you set your ip interface to "no forward", it will not route/forward. This is part of the above mentioned documentation.
Regards,
Benny

devnull
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 942
Joined: 07 Sep 2010 10:16
Location: Germany

Re: Disable inter vlan routing

Post by devnull » 12 Jun 2018 07:33

Thats right, but remeber: in this case the network is still known by the switch -> It will not route it to some other device (e.g. default gateway), which may need to have the ip interface removed.

Also i have not tested whether "not forwarding" will affect reachability of interface on the same switch (and just block forwarding to the other networks)

BarbaixB
Member
Posts: 1
Joined: 21 Jun 2018 04:52

Re: Disable inter vlan routing

Post by BarbaixB » 05 Jul 2018 03:30

Why don't you just put both vlans in a different VRF?

Regards,

User avatar
stunshot
Member
Posts: 44
Joined: 18 Mar 2010 06:08
Location: UK

Re: Disable inter vlan routing

Post by stunshot » 15 Aug 2018 10:29

Write a policy..

Post Reply

Return to “OmniSwitch 6900”