VLAN Isolation for iSCSI Network

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 09/14/2007 - 14:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Doug


If you want to totally isolate this traffic from the rest of the LAN you can simply remove the Layer 3 SVI for that vlan. Without a layer 3 interface nothing will be able to communicate with this vlan from any other vlan.


if you need the layer 3 SVI you could look to use access-lists eg


Lets say the rest of your LAN =


192.168.5.0/24

192.168.6.0/24


access-list 101 deny ip 192.168.5.0 0.0.0.255 any

access-list 101 deny ip 192.168.6.0 0.0.0.255 any

...

any traffic, if there is any, from other networks to your iSCSI network you can add here to the access-list.


interface vlan 10 (assuming this is iSCSI vlan interface)

ip access-group 101 out


HTH


Jon

Jon Marshall Mon, 09/17/2007 - 09:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Doug


Do you have command line access to the switch. Sorry as i have never used Network Assistant.


If you do have CLI access you need to dtermine which vlan is the iSCSI vlan, lets says it's vlan 10.


From enable mode


switch# sh ip interface brief


This will list all the interfaces on the switch. You are looking for a vlan10 interface.


Assuming there is one


switch# conf t

switch(config)# no interface vlan 10

switch# wr mem


By removing layer 3 interface nothing on vlan 10 can talk to any other vlan and no other vlan can talk to anything on vlan 10.


Be sure that is what you want.


HTH


Jon

Jon Marshall Tue, 09/18/2007 - 09:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Doug


If you do not see the vlan interface then you don't have a layer 3 interface on that switch. However you are saying that you can ping a device on the iSCSI vlan from a device on another vlan so


1) You have a lyer 3 interface for the iSCSI vlan, just not on that switch.


2) Your vlan allocation and ports within that vlan are slightly off.


Could you post configs of switch. Can you confirm that only the switch you are on would have layer 3 interfaces for the vlans ?


Jon

Jon Marshall Tue, 09/18/2007 - 10:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Doug


Is vlan 2 the iSCSI vlan ?


Which vlan is the device connected into that can ping one of the iSCSI devices ?


Jon

Jon Marshall Tue, 09/18/2007 - 10:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Doug


Could you provide


1) the ip address of your workstation, the subnet mask and the default-gateway


2) The same for one of the iSCSI devices that you can ping.


Jon

Jon,


I finally figured out what is going on here, and should have sooner so as to waste less of your time. The NetApp has two interfaces - one connected to vlan 1 and the other to the iSCSI vlan. Apparently the NetApp does some internal routing of traffic from one interface to the other. That's why I was always able to ping from my LAN to the NetApp iSCSI interface. I connected a PC to a port on the iSCSI vlan and was not able to ping any addresses on my lan. The only address I could ping was the ip address of the NetApp connected to the iSCSI vlan. This is what I want. Hope that all made sense, and again thanks much for all your time.

Jon Marshall Tue, 09/18/2007 - 12:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Doug


No problem. Thanks for getting back and letting me know what was happening.


Jon

Actions

This Discussion