hello,


in my network i got a switch with 4 vlan's configured
vlan 10
vlan 20
vlan 30
vlan 40

in vlan 40 i have my domain controller for my existing domain
i have read that seperate vlan's can't have contact without a lollipop router ( router on a stick, inter vlan routing)
i want that users in vlan 10, vlan 20 and vlan 30 can have access to my domain controller in vlan 40
but they can't have access to each other.

how can i solve this?


kind regards

you need to create sub interfaces on your router and trunk the vlans to the router port.
the router on a stick will route between vlans

http://blog.alwaysthenetwork.com/tutori ... -tutorial/

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

Your switch doesnt support VLAN interfaces?

_________________
http://www.dasblinkenlichten.com
@blinken_lichten

Hello,

Thanks for the reply , the problem is However , that when i configure sub interfaces
And a lollipop Router that all my vlans Can reach each other, and i only want that Vlan
10,20,30 Can reach Vlan 40 and not that Vlan 10, 20 and 30 Can reach each other, Vlan 10,20,30 must nr
Completely seperated from each other, they only need to reach Vlan 40 to log into domain.because the domain controller is there.

Seems like a design issue. Private VLANs? Or move the domain controller? ACLs if yuo have to...

_________________
http://www.dasblinkenlichten.com
@blinken_lichten

Get the routing working, and then filter out the traffic you don't want to allow via ACL's.

this.

Alternatively if you have something like a 3560 then you could look into Private VLAN's as others have said, what switch are you using?

_________________
---
David
CCIE R&S #38338, CCIP, CCNP

http://networkbroadcast.co.uk - My Blog
http://twitter.com/davidrothera

Yes, private VLAN or ACL.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

hello,

thanks for the advice, i will give it a try with private vlan's


kind regards

My original advice holds: Get the routing working first.

Once you have full connectivity, then you can figure out how to block the traffic you don't want. Private VLANs will be harder than ACL's, but both would work. But if you don't have the underlying connectivity established first, then you're building security on top of a pile of shit, and you can't predict how that's going to turn out.

that what I was thinking, if you can't get router on a stick working, private vlans would much more difficult.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

If this is a DHCP server, it sounds like an "ip address helper" solution...thou im not sure if this would solve this case.