11-15-2011 02:22 PM - edited 03-07-2019 03:24 AM
Hi all,
I have to add a switch in production network through VTP domain. I need to seprate the traffic from each clients.
So scenario is like this -
I have to connect two server on this switch and other ports on this switch is connected to client end.
So my concern is what we need to do when we are adding a new switch in network and second how can we seprate the traffic for each client so that they can not access each other traffic.
Thanks
Saurabh
11-15-2011 02:32 PM
HI,
Before adding a VTP client switch to a VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number. If you add a switch that has a revision number higher than the revision number in the VTP domain, it can erase all VLAN information from the VTP server and VTP domain.
have a look at the config guide for example:
As how to separate traffic. You can put each customer in a separate vlan and use ACL to deny traffic between them. You can also put each customer in a different VRF (if your IOS support it).
HTH
11-15-2011 03:22 PM
Hi Reza,
thanks for replying.
Suppose my server is on 10.200.x.x network and client end is 192.168.1.0/ 24.
So for each client i will assing the vlan and create a svi for each vlan on switch.
in order to not access each other traffic what will be format of ACL we need to use and on which interface e.g SVI.
and do we need to also take care of routing on switch ?
thanks
Saurabh
11-15-2011 02:35 PM
Set up VLAN Trunking and only allow the VLANs you want to traverse the VLAN Trunk.
Set your VTP to Transparent Mode.
11-15-2011 04:51 PM
Any one can shed light on it.
Thanks
11-15-2011 06:15 PM
Hi,
Correct, for each vlan you need to create an SVI
in order to not access each other traffic what will be format of ACL we need to use and on which interface e.g SVI
Correct see example below
and do we need to also take care of routing on switch ?
If you are creating the SVIs on the same switch, then the SVIs will be routed. All you need is to make sure routing is enabled on your switch
have a look at this example:
In this scenario you are denying traffic between the server and client vlan,
vlan 200 is server vlan
vlan 210 is client vlan
vlan 200 = 192.168.200.0/24
vlan 210= 192.168.210.0/24
access-list 111 deny ip 192.168.200.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 111 permit ip 192.168.200.0 0.0.0.255 any
access-list 112 deny ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 112 permit ip 192.168.210.0 0.0.0.255 any
int vlan 200
ip access-group 111 in
int vlan 210
ip access-group 112 in
11-15-2011 07:15 PM
Thanks Reza,
I want to deny traffic between each client not to server.
So each clients must have access to server but clients do not have access to each other.
Vlan seprate the traffic and can provide solution for this thing but I think we need to apply access list on each SVI for safer side.
vlan 210 is client 1 vlan
vlan 220 is client 2 vlan
For vlan 210
access-list 112 permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255
deny ip any any
and for 220 is client 2
access-list 112 permit ip 192.168.220.0 0.0.0.255 192.168.200.0 0.0.0.255
deny ip any any
and apply on SVI.
So in this case we can access data from server and seprate each client from accessing traffic.
Please share your idea.
and second thing can we achieve by using private vlan ?
Thanks
Saurabh
11-15-2011 08:06 PM
Hi,
While adding the switch in the live network takje care of the VTP revision no. It should be lower.
For securing the network at layer 2 the best way is to............
Configure the Switch interface connected to Server as a promiscous port.
And rest of the ports that are connected to client as a isolate port.
Promiscuous port communicates with all other PVLAN ports. The promiscuous port is the port that you typically use to communicate with external routers, LocalDirectors, network management devices, backup servers, administrative workstations, and other devices. On some switches, the port to the route module
An isolated port has complete Layer 2 separation from other ports within the same PVLAN. This separation includes broadcasts, and the only exception is the promiscuous port. A privacy grant at the Layer 2 level occurs with the block of outgoing traffic to all isolated ports. Traffic that comes from an isolated port forwards to all promiscuous ports only.
11-15-2011 10:14 PM
Thanks for explaining the PVLAN.
If i am configuring by using PVLAN - Do i need to configure the ACL to seprate traffic between clients.
or Pvlan are able to do it ?
11-15-2011 10:37 PM
Hi,
No need to configure ACL in your scenario....... If you want to seprate traffic flow based on the port no. than only you need to configure VACL.
Private VLAN will work fine in your case...
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.sh
11-16-2011 04:09 AM
Hi,
I would like to ask how does it differentiate traffics flow from different clients because only one subnet will use as default gateway.
so all the client devices will point to that SVI ip address. do we need to ask client to configure static routes because at client end it can be switch, router or linux device.
thanks
Saurabh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide