Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN Question

All, if I have a VLAN 300 with a management interface of 10.3.240.240 and a VLAN 400 with a management interface of 10.247.1.1, and each port is in the same subnet as the specified VLAN, what prevents traffics from entering the other VLAN?

9 REPLIES
bjw Silver
Silver

Re: VLAN Question

L3 Routing allows VLANS (broadcast domains)to find each other. If the Switch is connected to a router and both subnets are advertised and not inhibited from interacting (Routing protocol config or ACL inhibitors), or the switch itself is a L2/L3 device with routing enabled, then they theoreticaly can interact.

New Member

Re: VLAN Question

Then how do I prevent two VLANs from broadcasting traffic into each VLAN, that is on the same swith?

bjw Silver
Silver

Re: VLAN Question

Being that a VLAN is defined as it's own broadcast domain means that all ports on VLAN 1 will hear all broadcasts within that VLAN. If VLAN 2 is added to a switch, then the same holds true for that VLAN. They are separate broadcast domains.

bjw Silver
Silver

Re: VLAN Question

Now if your question really is to ensure that NO HOST on VLAN 300 could ever exchange packets with ANY HOST on VLAN 400, that would be an ACL on each VLAN that specificaly excludes the entire VLAN Network Segment. Broadcast traffic is different than Uni-cast/Multi-cast traffic.

Then there's Private Vlans:

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e717.html

Which is a whole different level of separation/protection, ect

New Member

Re: VLAN Question

ok, so if my objection is to have machine traffic on Vlan 247 and Data Traffic on VLAN 300, IPX traffic from printers on VLAN 300, will not go over to vlan 247?

bjw Silver
Silver

Re: VLAN Question

Yes, as long as you configure the next-hop router/routing protocol to not allow it. It won't do it on a layer 2 switch with routing disabled.

Look at this Doc

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml

Re: VLAN Question

IPX traffic cannot get out of its vlan because you are not routing IPX. Only IP traffic could be routed between the vlans. If you want to avoid that, you have lots of solutions like disabling routing, implementing access lists, removing the IP addresses etc...

Vlan are still providing you with isolation at layer 2, even with your current configuration.

Regards,

Francois

Re: VLAN Question

Note that private vlan will not prevent communication at layer 3.

F.

bjw Silver
Silver

Re: VLAN Question

Agreed,

Routing, routing, routing, acls, filters, pbr.. it all depends on what the real operational goals are designed in.

261
Views
0
Helpful
9
Replies