OSPF / VLAN

Answered Question
Jan 30th, 2009

On 4500 BackBone Switch ; we have 15 VLANS, running OSPF as the routing protocol, we need to create another new VLAN (vlan 120) and the requirement is that this VLAN should not be allowed to communicate with other vlans.

As per requirement I have not added this vlan range in OSPF routing process but still other vlan are able to communicate..

Can someone explain why this is happening...

I have this problem too.
0 votes
Correct Answer by lamav about 7 years 10 months ago

Not running OSPF on the new vlan interface simply means that LSUs from this router will not include information regarding the new vlan in its updates to the OSPF neighbors.

That means that a user sitting, say, 3 hops away, will not have a route to that network.

The reason that users on the other vlans that are configured on that 4500 switch can communicate with the new vlan is that they are all directly connected routes. You need a router/L3 switch to pass traffic from one vlan to another (inter-vlan routing). Creating SVIs for several vlans on the same switch satisfies that requirement, thereby allowing users in each of these vlans to communicate with each other.

To isolate the new vlan, you can look into using vlan maps or traditional ACLs and applying them to the vlan's SVI.

http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst4500/12.1/12.1e/configuration/guide/secure.html

HTH

Victor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
rais Fri, 01/30/2009 - 14:02

All connected VLANs on your L3 switch will communicate to each other since the new VLAN is part of routing table.

You can use a VACL, if supported on your platform or just create a VLAN without an SVI if that's possible.

Thanks.

glen.grant Fri, 01/30/2009 - 16:37

 As Istvan said just make it a layer  2 vlan.   Just  type in  " no interface vlan 120" .   This prevents anyone in vlan 120 from being routed anywhere else because there is no layer 3 definition .

Istvan_Rabai Fri, 01/30/2009 - 14:07

Hi Amin,

The solution is simple:

Do not create the vlan interface that belongs to vlan 120.

In other words, don't issue this command on the switch:

interface vlan 120

Cheers:

Istvan

rais Fri, 01/30/2009 - 14:17

Istvan,

Do you mean don't assign an IP address to this interface.

Thanks.

Istvan_Rabai Sat, 01/31/2009 - 01:10

Yes, not assigning an ip address to interface vlan 120 will work work for you as well.

Cheers:

Istvan

Correct Answer
lamav Fri, 01/30/2009 - 14:08

Not running OSPF on the new vlan interface simply means that LSUs from this router will not include information regarding the new vlan in its updates to the OSPF neighbors.

That means that a user sitting, say, 3 hops away, will not have a route to that network.

The reason that users on the other vlans that are configured on that 4500 switch can communicate with the new vlan is that they are all directly connected routes. You need a router/L3 switch to pass traffic from one vlan to another (inter-vlan routing). Creating SVIs for several vlans on the same switch satisfies that requirement, thereby allowing users in each of these vlans to communicate with each other.

To isolate the new vlan, you can look into using vlan maps or traditional ACLs and applying them to the vlan's SVI.

http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst4500/12.1/12.1e/configuration/guide/secure.html

HTH

Victor

Actions

This Discussion