VLAN Access confusion

Solved
Ozzy03260
Conversationalist

VLAN Access confusion

I'm preparing to add a VLAN2 to our network for some servers we will be adding.  In preparation for this I was investigating what I would need to do to have our client PCs (VLAN1) communicate with these servers as many of these ports are Access Ports with VLAN1 and a Voice VLAN105.

 

Assuming VLAN 1 is 10.123.0.0 /23 and VLAN8 is 10.122.8.0/24

 

I have Switch1 Port 4 configured as an Access Port VLAN1, I would assume that this port should not be able to communicate with a PC in the address range of VLAN8.

 

So PC-A which is 10.122.0.69 connects to port 4 on switch 1 and attempts to RDP into PC-B which is 10.122.8.10.  I expected my PC to try to find the system with RDP and come back with a failure to connect.  I was a bit surprised to be able to connect to the PC through RDP when they should be in different VLANs.

 

PC-B is connected to port 34 on the same switch which is configured as an Access Port for VLAN8.

 

What am I missing here?  This is a case of something working that I expected not to.

1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal

There must be a gateway in between.

If the VLANs have a gateway in the form of a router or firewall or l3 switch then the packets will be routed between VLANs unless you have acl's or firewall rules blocking access.

View solution in original post

5 Replies 5
GIdenJoe
Kind of a big deal
Kind of a big deal

There must be a gateway in between.

If the VLANs have a gateway in the form of a router or firewall or l3 switch then the packets will be routed between VLANs unless you have acl's or firewall rules blocking access.

Ozzy03260
Conversationalist

Under Switch>>Configure>>Routing & DHCP I have infact added interfaces for VLAN1, VLAN2, VLAN8 and VLAN105.

 

Since these Meraki Switches are L3 capable this is what allows communication across VLANs unless I explicitly set an ACL to block it?

ww
Kind of a big deal
Kind of a big deal

Yes

Bruce
Kind of a big deal

@Ozzy03260 Something to remember on the Meraki MS switches (which is different to Cisco Catalysts if you're used to them) is that you don't have to create VLAN - the switch will pass traffic on any VLAN out of the box. All you have to do is assign an access port to a VLAN. By default all trunk ports will forward all VLANs, but you can restrict (prune) this to just the VLANs you want. When you create a VLAN interface on the Meraki switch you are essentially creating a gateway (SVI in Catalyst terms) that allows that VLAN/Subnet to communicate with all others. You can then restrict communication between VLANs/Subnets (and even within a VLAN/Subnet) using ACLs.

Ozzy03260
Conversationalist

Replying to myself, is it because it is VLAN1?  If it were for example VLAN3 10.122.3.0 would that matter?

 

I inherited this network and this is my first real job requiring me to manage a network instead of servers so it is not my area of expertise.

 

Thank you

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels