I have set up a VLAN on a Catalyst 3560 for an iSCSI network. I would like to isolate this traffic from the rest of the LAN. As presently configured, I can ping a device on the iSCSI VLAN from a device connected to a port not part of that VLAN. What configuration change do I need to make to prevent this?
If you want to totally isolate this traffic from the rest of the LAN you can simply remove the Layer 3 SVI for that vlan. Without a layer 3 interface nothing will be able to communicate with this vlan from any other vlan.
if you need the layer 3 SVI you could look to use access-lists eg
Lets say the rest of your LAN =
access-list 101 deny ip 192.168.5.0 0.0.0.255 any
access-list 101 deny ip 192.168.6.0 0.0.0.255 any
any traffic, if there is any, from other networks to your iSCSI network you can add here to the access-list.
interface vlan 10 (assuming this is iSCSI vlan interface)
ip access-group 101 out
Please pardon my limited knowledge, but can you tell me how I can go about removing Layer 3 SVI from a VLAN. I'm most familiar configuring my switch using Network Assistant.
Do you have command line access to the switch. Sorry as i have never used Network Assistant.
If you do have CLI access you need to dtermine which vlan is the iSCSI vlan, lets says it's vlan 10.
From enable mode
switch# sh ip interface brief
This will list all the interfaces on the switch. You are looking for a vlan10 interface.
Assuming there is one
switch# conf t
switch(config)# no interface vlan 10
switch# wr mem
By removing layer 3 interface nothing on vlan 10 can talk to any other vlan and no other vlan can talk to anything on vlan 10.
Be sure that is what you want.
When I issue the sh ip interface command, the vlan I have defined for iscsi traffic does not show on the list. It does show with a sh vlan command.
If you do not see the vlan interface then you don't have a layer 3 interface on that switch. However you are saying that you can ping a device on the iSCSI vlan from a device on another vlan so
1) You have a lyer 3 interface for the iSCSI vlan, just not on that switch.
2) Your vlan allocation and ports within that vlan are slightly off.
Could you post configs of switch. Can you confirm that only the switch you are on would have layer 3 interfaces for the vlans ?
Is vlan 2 the iSCSI vlan ?
Which vlan is the device connected into that can ping one of the iSCSI devices ?
1st thanks so much for you patience with me! Yes vlan 2 is the iSCSI vlan. I can successfully ping from a server connected to vlan 1. I can also ping from my workstation which is not physically connected to that switch.
Could you provide
1) the ip address of your workstation, the subnet mask and the default-gateway
2) The same for one of the iSCSI devices that you can ping.
I finally figured out what is going on here, and should have sooner so as to waste less of your time. The NetApp has two interfaces - one connected to vlan 1 and the other to the iSCSI vlan. Apparently the NetApp does some internal routing of traffic from one interface to the other. That's why I was always able to ping from my LAN to the NetApp iSCSI interface. I connected a PC to a port on the iSCSI vlan and was not able to ping any addresses on my lan. The only address I could ping was the ip address of the NetApp connected to the iSCSI vlan. This is what I want. Hope that all made sense, and again thanks much for all your time.
If the iSCSI is not for VMware you can isolate it. If it is for VMware the Service Console must have access to the storage. If all the iSCSI devices can support Jumbo frames on this separate VLAN, performance generally improves and overhead decreases.