Thanks for quick reply,

I dont want the servers on 10.0/30 subnet from communicating with the 20.0/30 subnet with respect to broadcasts.

I know that they wont be able to communicate because of the Layer 2 but broadcasts will still flood the whole vlan.

So my question is how can I properly isolate the subnets in this particular vlan?

>So my question is how can I properly isolate the subnets in this particular vlan?

You can't isolate them as long as they are part of the same Vlan regardless of the IP subnet.

Edison

Perhaps I read the post from Sparky slightly differently than you do. The first pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine. And the second pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine.

But I agree with you that there are flaws in this implementation. First, since the subnets are /30 they only allow two hosts and with two servers in the subnet there is nothing to act as a gateway and to provide access to "remote" addresses. Also this implementation breaks the assumption that there is a correlation between subnet and VLAN. We tend to assume that a correlation exists and that a subnet is related to a VLAN and a VLAN is related to a subnet. But VLAN is a layer 2 concept and subnet is a layer 3 concept and they are not necessarily related. There is no rule that says that a VLAN have only 1 subnet (though that is common practice). A VLAN interface with a primary IP address and a secondary IP address would certainly support 2 (or more) subnets.

Note that this implementation does not provide the isolation that we tend to assume when we talk about subnets. We generally assume that devices in 1 subnet do not communicate directly with devices in a different subnet (because we tend to assume that each subnet is a separate broadcast domain). But this implementation puts both subnets into the same broadcast domain. So the first pair of servers will hear all the broadcasts (including ARP) from the second pair of servers and any of these servers could communicate directly with any other of the servers - certainly not bounded by the subnet.

Sparky

There is no way to isolate the broadcasts within the same VLAN. The basic definition of VLAN is that it is a broadcast domain. And any broadcast generated will be flooded thoughout the entire broadcast domain. The only way to restrict the broadcasts is to create 2 VLANs.

HTH

Rick

Rick,

Indeed you are right. Blame my fast reading abilities :)

I automatically assumed the other host in the /30 subnet would be the switch.

Edison

Indeed that is a very logical assumption. And ultimately I believe that it would be a better implementation. But it is not what was asked in the original post.

HTH

Rick

I cant have 2 vlans.

Would Private Vlans work in this situation?

or Mac-address access lists?

Sparky

Before we talk about what would work in this situation perhaps you can clarify what you are trying to accomplish and what the constraints are? If we understood that we could give much better answers.

HTH

Rick

Dear Pals,

Please, let me say you that IMHO you're partially wrong. You can to use Cisco PVLANs to workarround this troubles.

http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html

... in addiction to the RFC 3069 - "VLAN Aggregation for Efficient IP Address Allocation" could be applied in this case to use the same address space into two differents broadcast domains with a common routed port to forward traffic between two VLANs.

Regards,

--

Luislo

http://luislo.blogspot.com

http://www.faqs.org/rfcs/rfc3069.html

Yes I need same vlan becasue of the eWAN setup I have.

ISP-Router 10.10.10.1/30 connects to the 3750G on vlan 100 (port g1/0/1)

BSD Router 10.10.10.2/30 connects to the 3750G on vlan 100 (port g1/0/2)

ISP-Router2 10.10.20.1/30 connects to the 3750G on vlan 100 (Port g2/0/1)

BSD Router 10.10.20.2/30 connects to the 3750G on vlan 100 (port g2/0/2)

In order for this eWAN connection to work, I need to pass vlan 100 traffic to the ISP either via a trunk or access mode. A trunk in this case will not work so I have to use mode access.

One of my option is to break the 3750G stack and use the switches on their own but I dont want to do that since stacking is superior.

I have this implementation working off 2 seperate 3750G each having int vlan 100 with their IPs.

What I would really like to do is keep the 2 x 3750G stacked and allow each bsd router to connect back to its respective ISP Router on vlan 100.

Please advise.

>In order for this eWAN connection to work, I need to pass vlan 100

>traffic to the ISP either via a trunk or access mode. A trunk in this case will not

>work so I have to use mode access.

Can you tell us why the trunk solution will not work ?

Under the circumstances assuming the following:

- 3750s will stay stacked

- vlan 100 MUST be used for all four ports

- each /30 network must stay seperate

I would have to say that private vlans are still the best solution. Set up 2 communities and they can both exist in vlan 100 while not sharing broadcast traffic.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swpvlan.html

I hope that helps.

hi,

sure - you can do that - no problem (also by stacking those 2 3750). but you will still get the broadcast for those 2 subnets in 1 vlan. just like putting 2 different nic and ip address in one managable switch, and there is no way to separate that broadcast.

so - you have the third nic for the BSD to put back into the switch for routing your LAN right?

HTH.

pls rate :)