VLAN Isolation for iSCSI Network

Unanswered Question

I have set up a VLAN on a Catalyst 3560 for an iSCSI network. I would like to isolate this traffic from the rest of the LAN. As presently configured, I can ping a device on the iSCSI VLAN from a device connected to a port not part of that VLAN. What configuration change do I need to make to prevent this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 09/14/2007 - 14:05

Hi Doug

If you want to totally isolate this traffic from the rest of the LAN you can simply remove the Layer 3 SVI for that vlan. Without a layer 3 interface nothing will be able to communicate with this vlan from any other vlan.

if you need the layer 3 SVI you could look to use access-lists eg

Lets say the rest of your LAN =

access-list 101 deny ip any

access-list 101 deny ip any


any traffic, if there is any, from other networks to your iSCSI network you can add here to the access-list.

interface vlan 10 (assuming this is iSCSI vlan interface)

ip access-group 101 out



Jon Marshall Mon, 09/17/2007 - 09:05


Do you have command line access to the switch. Sorry as i have never used Network Assistant.

If you do have CLI access you need to dtermine which vlan is the iSCSI vlan, lets says it's vlan 10.

From enable mode

switch# sh ip interface brief

This will list all the interfaces on the switch. You are looking for a vlan10 interface.

Assuming there is one

switch# conf t

switch(config)# no interface vlan 10

switch# wr mem

By removing layer 3 interface nothing on vlan 10 can talk to any other vlan and no other vlan can talk to anything on vlan 10.

Be sure that is what you want.



Jon Marshall Tue, 09/18/2007 - 09:34


If you do not see the vlan interface then you don't have a layer 3 interface on that switch. However you are saying that you can ping a device on the iSCSI vlan from a device on another vlan so

1) You have a lyer 3 interface for the iSCSI vlan, just not on that switch.

2) Your vlan allocation and ports within that vlan are slightly off.

Could you post configs of switch. Can you confirm that only the switch you are on would have layer 3 interfaces for the vlans ?


Jon Marshall Tue, 09/18/2007 - 10:03


Is vlan 2 the iSCSI vlan ?

Which vlan is the device connected into that can ping one of the iSCSI devices ?


Jon Marshall Tue, 09/18/2007 - 10:19


Could you provide

1) the ip address of your workstation, the subnet mask and the default-gateway

2) The same for one of the iSCSI devices that you can ping.



I finally figured out what is going on here, and should have sooner so as to waste less of your time. The NetApp has two interfaces - one connected to vlan 1 and the other to the iSCSI vlan. Apparently the NetApp does some internal routing of traffic from one interface to the other. That's why I was always able to ping from my LAN to the NetApp iSCSI interface. I connected a PC to a port on the iSCSI vlan and was not able to ping any addresses on my lan. The only address I could ping was the ip address of the NetApp connected to the iSCSI vlan. This is what I want. Hope that all made sense, and again thanks much for all your time.

Jon Marshall Tue, 09/18/2007 - 12:22


No problem. Thanks for getting back and letting me know what was happening.



This Discussion