cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
760
Views
0
Helpful
9
Replies

VLAN Question

rwamstutz
Level 1
Level 1

All, if I have a VLAN 300 with a management interface of 10.3.240.240 and a VLAN 400 with a management interface of 10.247.1.1, and each port is in the same subnet as the specified VLAN, what prevents traffics from entering the other VLAN?

9 Replies 9

bjw
Level 4
Level 4

L3 Routing allows VLANS (broadcast domains)to find each other. If the Switch is connected to a router and both subnets are advertised and not inhibited from interacting (Routing protocol config or ACL inhibitors), or the switch itself is a L2/L3 device with routing enabled, then they theoreticaly can interact.

Then how do I prevent two VLANs from broadcasting traffic into each VLAN, that is on the same swith?

Being that a VLAN is defined as it's own broadcast domain means that all ports on VLAN 1 will hear all broadcasts within that VLAN. If VLAN 2 is added to a switch, then the same holds true for that VLAN. They are separate broadcast domains.

bjw
Level 4
Level 4

Now if your question really is to ensure that NO HOST on VLAN 300 could ever exchange packets with ANY HOST on VLAN 400, that would be an ACL on each VLAN that specificaly excludes the entire VLAN Network Segment. Broadcast traffic is different than Uni-cast/Multi-cast traffic.

Then there's Private Vlans:

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e717.html

Which is a whole different level of separation/protection, ect

ok, so if my objection is to have machine traffic on Vlan 247 and Data Traffic on VLAN 300, IPX traffic from printers on VLAN 300, will not go over to vlan 247?

Yes, as long as you configure the next-hop router/routing protocol to not allow it. It won't do it on a layer 2 switch with routing disabled.

Look at this Doc

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml

IPX traffic cannot get out of its vlan because you are not routing IPX. Only IP traffic could be routed between the vlans. If you want to avoid that, you have lots of solutions like disabling routing, implementing access lists, removing the IP addresses etc...

Vlan are still providing you with isolation at layer 2, even with your current configuration.

Regards,

Francois

Note that private vlan will not prevent communication at layer 3.

F.

Agreed,

Routing, routing, routing, acls, filters, pbr.. it all depends on what the real operational goals are designed in.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco