cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1674
Views
30
Helpful
10
Replies

Please advice for this solution switch 3560

I wanna seperate clients on same vlan

server ip : 10.0.0.1 - 10.0.0.10

clients ip : 10.0.0.100 - 10.0.0.200

i wanna clients access only server but clients can't talk with another clients

please give me a config on cisco 3560 and cisco 2960

i must use 1 vlan only

thank you for best support

10 Replies 10

Hi,

You need to configure private vlan in 3560 switch.In this scenario,You have to create one more L2 vlan and that will act as seconday isolated vlan

When you are configuring your userzone(client) as isolated vlan, there will be no communication within the clients

VLAN1 -- Primary VLAN and make all those port into promiscous port.so that within the serverzone there will be communication as well they can communicate to userzone(client)

VLAN 2 -- Secondary Isolated VLAN .Assign all the client port into isolated vlan, so that it can communicate to server but within the client there wont be a communication

Before configuring the private vlan the switch should be VTP transparent mode.

For outside users all the ports will be in VLAN 1 , but within that there will be primary and secondary vlans are configured

For more information

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swpvlan.html

regards

karuppu

Lei Tian
Cisco Employee
Cisco Employee

Hi,

Is the interface between 3560 and 2960 an access port? If yes, you should be able do it without add new vlan.

thanks,

Lei TIan

please give me a config on 3560 and 2960 on access ports because i don't understand isolate port

server and clients is same vlan ?

thank you for best support

Hi,

Before configuring private vlan, all the switches vtp mode should be in transparent mode.

As per your network diagram,find the config

3560 config :

Switch# configure terminal
Switch(config)# vlan 1
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# exit
Switch(config)# vlan 501
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan 1
Switch(config-vlan)# private-vlan association 501
Switch(config-vlan)# end
Switch(config)# show vlan private vlan

2560 config:

Switch# configure terminal
Switch(config)# vlan 1
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# exit
Switch(config)# vlan 501
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan 1
Switch(config-vlan)# private-vlan association 501
Switch(config-vlan)# end
Switch(config)# interface fastethernet0/22
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 1 501
Switch(config-if)# end

Hope it helps u.

Regards

Karuppu

if server and client is on same vlan [vlan 1] may we use this solution

client can access server but all clients can not access clients

server can access all clients

please give me a config

thank you for best support

Hi,

The configuration which i have sent is correct.

For outside persfective both client and server will be in single vlan that is vlan 1.

But within that we have seperated that VLAN 1(primary vlan) for server and VLAN 501(secondary isolated vlan)for client

The configuration which i have sent you that will give solution to your request

regards

karuppu

from configuration

server and clients can use ip same subnet /22 right ?

thank you for your support

for a few question

configuration for 3560 port -> 2960 port must be config trunk or special command line

please advise me

thank you for best support

Hi,

It will use same segment that is /22 and the trunk configuration is same.

no need to do any special configuration in the trunk link

regards

karuppu

Hi,

Besides the private vlan solution, If the port between 2960 and 3560 is access port, you can consider another solution.

on 3560 all client facing ports and port connect to 2960, configure

switchport protected

on 2960 all client facing ports

switchport protected

Do not need to do anything on the server facing ports on 3560 and uplink port on 2960

HTH,

Lei Tian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco