VLAN Question

Unanswered Question
Aug 29th, 2007

All, if I have a VLAN 300 with a management interface of 10.3.240.240 and a VLAN 400 with a management interface of 10.247.1.1, and each port is in the same subnet as the specified VLAN, what prevents traffics from entering the other VLAN?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
bjw@gty.ci.hend... Wed, 08/29/2007 - 12:06

L3 Routing allows VLANS (broadcast domains)to find each other. If the Switch is connected to a router and both subnets are advertised and not inhibited from interacting (Routing protocol config or ACL inhibitors), or the switch itself is a L2/L3 device with routing enabled, then they theoreticaly can interact.

rwamstutz Wed, 08/29/2007 - 12:09

Then how do I prevent two VLANs from broadcasting traffic into each VLAN, that is on the same swith?

bjw@gty.ci.hend... Wed, 08/29/2007 - 12:14

Being that a VLAN is defined as it's own broadcast domain means that all ports on VLAN 1 will hear all broadcasts within that VLAN. If VLAN 2 is added to a switch, then the same holds true for that VLAN. They are separate broadcast domains.

bjw@gty.ci.hend... Wed, 08/29/2007 - 12:19

Now if your question really is to ensure that NO HOST on VLAN 300 could ever exchange packets with ANY HOST on VLAN 400, that would be an ACL on each VLAN that specificaly excludes the entire VLAN Network Segment. Broadcast traffic is different than Uni-cast/Multi-cast traffic.

Then there's Private Vlans:

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e717.html

Which is a whole different level of separation/protection, ect

rwamstutz Wed, 08/29/2007 - 12:22

ok, so if my objection is to have machine traffic on Vlan 247 and Data Traffic on VLAN 300, IPX traffic from printers on VLAN 300, will not go over to vlan 247?

Francois Tallet Wed, 08/29/2007 - 12:41

IPX traffic cannot get out of its vlan because you are not routing IPX. Only IP traffic could be routed between the vlans. If you want to avoid that, you have lots of solutions like disabling routing, implementing access lists, removing the IP addresses etc...

Vlan are still providing you with isolation at layer 2, even with your current configuration.

Regards,

Francois

bjw@gty.ci.hend... Wed, 08/29/2007 - 12:49

Agreed,

Routing, routing, routing, acls, filters, pbr.. it all depends on what the real operational goals are designed in.

Actions

Login or Register to take actions

This Discussion

Posted August 29, 2007 at 12:00 PM
Stats:
Replies:9 Avg. Rating:
Views:260 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,012
2 8,155
3 7,745
4 7,088
5 6,752
Rank Username Points
135
88
80
74
38