Okay, let me make sure I understand this correctly...

I create the L3 ports like I need to (my uplinks to the core router), then create a VLAN (say VLAN_20) with an IP address. Following that, give each user a port and add the port to VLAN_20. Is that right? That seems fairly simple...

I guess my only question now is, what type of ACL do I need to create so that I don't have intra-vlan routing? I do want to secure the users from other users on the switch. Does anyone have some examples I can follow?

Thanks!

Justin

I do want to secure the users from other users on the switch. Does anyone have some examples I can follow?

This sounds you want to do Private-vlan.

The private-VLAN feature addresses two problems that service providers face when using VLANs:

•Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.

•To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.

Using private VLANs addresses the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers. Private VLANs partition a regular VLAN domain into subdomains. A subdomain is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A private VLAN can have multiple VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.

There are two types of secondary VLANs:

•Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.

•Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

•Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

For more info on private VLAN:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swpvlan.htm#wp1038379

Hi, if the above solution sounds a little longwinded (personally i found it very informative) then you can simply do as you said and put an ACL on the vlan. You do not put the uplink ports into the vlan, leave them as vlan1, (you are confusing L2 with L3 terminology, remember the 3750 IS a router so it will route your vlan ports to your core router)

You would do this similar to a normal ACL so for this example your vlan is vlan20 and the ip address of this vlan is 192.168.1.1

The other vlan (you want to stop from coming into vlan 20) is vlan 21 with an ip address of 192.168.2.1 (remember all your clients on each vlan will need an ip address on the vlan subnet with the vlan ip address as their default gateway)

a simple:

access-list 100 deny ip 192.168.2.0 0.0.0.255 any

access-list 100 permit ip any any

conf t

int vlan 20

access-group 100 out

would do the trick.

Using this path you would only need 1 uplink to the core router

Of course if you already have the 2 uplink ports to the router as you say and you only want your 2 vlan clients to route through that path then the easy way of accomplishing this is to simply do as you would at L2, create your vlan, assign ports to your vlan (including the uplink ports), do not give the vlan an ip address, give your vlan clients the default gateway of the core router interfaces.

ACL will not stop a device in vlan 20 to not talk to another device in vlan 20 - that's intra-vlan or communication within the same vlan. ACL above will stop communication from subnet 192.168.2.0 to 192.168.1.0 but say 192.168.1.49 wants to communicate to any device in 192.168.1.x, the ACL will not stop. For this, he needs private-vlan and then isolate the ports he does not want talking to each other.

I agree, but certainly from my customers needs the norm seems to be each vlan is completely seperate without any communication between them and each member of the same vlan would be able to communicate as you would in a L2 environment. Of course your system will work (i'm certainly not going to argue with a CCIE) but i beleive in not overcomplicating scenario's if there is an easy workaround, if the setup is simple and your objectives are achieved it makes daily admin a doddle.

Okay... I've seen a lot of great posts, I really appreciate all of the ideas. Let me clear up a few things real quick, hopefully I can come up with the right way (for my setup) of doing this.

I'm not so much concerned about intra-vlan communication (vlan 20 talking to another device in vlan 20) as I am about inter-vlan talking (vlan 20 talking to vlan 30), I have to make sure that doesn't happen. In reading of the previous posts it doesn't appear that I need to setup Private-VLAN's, so what is the easiest way to drop inter-vlan traffic? Remember, I've got two uplinks to my core router AND I've got OSPF running as well...

One other quick question I thought of this weekend, since we're on the subject of the 3750. I'm also going to need to traffic shape my customers, they'll purchase a 1mb, 2mb, etc.. account, I'm hoping that the 3750 will handle this task. I've done a lot of reading, a lot of looking through this forum and found a lot of great information, I'm just not sure which way to go:

Do I:

1. Setup an Access-List/Access-Group and

police the traffic using a policy map

and class map?

2. Setup a policy-map and use service-policy

on each interface

3. Use the rate-limit command?

I guess my concern is, if the port is about to exceed the set limit, I don't believe I want to drop the traffic exceeding the limit (like some examples have shown), wouldn't I want to reshape it or mark those packets down?

Thanks everyone,

JP