Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

OSPF / VLAN

On 4500 BackBone Switch ; we have 15 VLANS, running OSPF as the routing protocol, we need to create another new VLAN (vlan 120) and the requirement is that this VLAN should not be allowed to communicate with other vlans.

As per requirement I have not added this vlan range in OSPF routing process but still other vlan are able to communicate..

Can someone explain why this is happening...

1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: OSPF / VLAN

Not running OSPF on the new vlan interface simply means that LSUs from this router will not include information regarding the new vlan in its updates to the OSPF neighbors.

That means that a user sitting, say, 3 hops away, will not have a route to that network.

The reason that users on the other vlans that are configured on that 4500 switch can communicate with the new vlan is that they are all directly connected routes. You need a router/L3 switch to pass traffic from one vlan to another (inter-vlan routing). Creating SVIs for several vlans on the same switch satisfies that requirement, thereby allowing users in each of these vlans to communicate with each other.

To isolate the new vlan, you can look into using vlan maps or traditional ACLs and applying them to the vlan's SVI.

http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst4500/12.1/12.1e/configuration/guide/secure.html

HTH

Victor

7 REPLIES
Silver

Re: OSPF / VLAN

All connected VLANs on your L3 switch will communicate to each other since the new VLAN is part of routing table.

You can use a VACL, if supported on your platform or just create a VLAN without an SVI if that's possible.

Thanks.

Purple

Re: OSPF / VLAN

 As Istvan said just make it a layer  2 vlan.   Just  type in  " no interface vlan 120" .   This prevents anyone in vlan 120 from being routed anywhere else because there is no layer 3 definition .

Re: OSPF / VLAN

Hi Amin,

The solution is simple:

Do not create the vlan interface that belongs to vlan 120.

In other words, don't issue this command on the switch:

interface vlan 120

Cheers:

Istvan

Silver

Re: OSPF / VLAN

Istvan,

Do you mean don't assign an IP address to this interface.

Thanks.

Re: OSPF / VLAN

Yes, not assigning an ip address to interface vlan 120 will work work for you as well.

Cheers:

Istvan

Blue

Re: OSPF / VLAN

Not running OSPF on the new vlan interface simply means that LSUs from this router will not include information regarding the new vlan in its updates to the OSPF neighbors.

That means that a user sitting, say, 3 hops away, will not have a route to that network.

The reason that users on the other vlans that are configured on that 4500 switch can communicate with the new vlan is that they are all directly connected routes. You need a router/L3 switch to pass traffic from one vlan to another (inter-vlan routing). Creating SVIs for several vlans on the same switch satisfies that requirement, thereby allowing users in each of these vlans to communicate with each other.

To isolate the new vlan, you can look into using vlan maps or traditional ACLs and applying them to the vlan's SVI.

http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst4500/12.1/12.1e/configuration/guide/secure.html

HTH

Victor

New Member

Re: OSPF / VLAN

thanks

Your input helps

440
Views
0
Helpful
7
Replies