01-30-2009 01:16 PM - edited 03-06-2019 03:46 AM
On 4500 BackBone Switch ; we have 15 VLANS, running OSPF as the routing protocol, we need to create another new VLAN (vlan 120) and the requirement is that this VLAN should not be allowed to communicate with other vlans.
As per requirement I have not added this vlan range in OSPF routing process but still other vlan are able to communicate..
Can someone explain why this is happening...
Solved! Go to Solution.
01-30-2009 02:08 PM
Not running OSPF on the new vlan interface simply means that LSUs from this router will not include information regarding the new vlan in its updates to the OSPF neighbors.
That means that a user sitting, say, 3 hops away, will not have a route to that network.
The reason that users on the other vlans that are configured on that 4500 switch can communicate with the new vlan is that they are all directly connected routes. You need a router/L3 switch to pass traffic from one vlan to another (inter-vlan routing). Creating SVIs for several vlans on the same switch satisfies that requirement, thereby allowing users in each of these vlans to communicate with each other.
To isolate the new vlan, you can look into using vlan maps or traditional ACLs and applying them to the vlan's SVI.
HTH
Victor
01-30-2009 02:02 PM
All connected VLANs on your L3 switch will communicate to each other since the new VLAN is part of routing table.
You can use a VACL, if supported on your platform or just create a VLAN without an SVI if that's possible.
Thanks.
01-30-2009 04:37 PM
As Istvan said just make it a layer 2 vlan. Just type in " no interface vlan 120" . This prevents anyone in vlan 120 from being routed anywhere else because there is no layer 3 definition .
01-30-2009 02:07 PM
Hi Amin,
The solution is simple:
Do not create the vlan interface that belongs to vlan 120.
In other words, don't issue this command on the switch:
interface vlan 120
Cheers:
Istvan
01-30-2009 02:17 PM
Istvan,
Do you mean don't assign an IP address to this interface.
Thanks.
01-31-2009 01:10 AM
Yes, not assigning an ip address to interface vlan 120 will work work for you as well.
Cheers:
Istvan
01-30-2009 02:08 PM
Not running OSPF on the new vlan interface simply means that LSUs from this router will not include information regarding the new vlan in its updates to the OSPF neighbors.
That means that a user sitting, say, 3 hops away, will not have a route to that network.
The reason that users on the other vlans that are configured on that 4500 switch can communicate with the new vlan is that they are all directly connected routes. You need a router/L3 switch to pass traffic from one vlan to another (inter-vlan routing). Creating SVIs for several vlans on the same switch satisfies that requirement, thereby allowing users in each of these vlans to communicate with each other.
To isolate the new vlan, you can look into using vlan maps or traditional ACLs and applying them to the vlan's SVI.
HTH
Victor
02-01-2009 04:40 AM
thanks
Your input helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide