Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3750 and LAN/WAN Switching

Hello everyone... I've recently purchased two 3750's with the IP routing image, they are setup in a stack configuration, everything seems to be working excellent in that department. However, I'm lost as to how to configure the stack for my particular setup, I've never had this much trouble before. These switches will be used in a data center environment, I'll be giving each customer a port (in there own private vlan) for access to the internet.

Here is my setup: Single core router with two fiber optic connections to the stack, one on GI1/0/1 and another on GI2/0/28. I'll be running OSPF between the stack and the core router (core router is a linux box running GateD). The links are up, OSPF seems to be flowing, I'm just not sure how to configure the VLAN portion so that traffic will flow out one of the interfaces. Normally I would build the users port, put them in a VLAN with membership to the uplink port, but I can't do that with a non-switchport interface.

What am I missing?



Re: 3750 and LAN/WAN Switching

You're exactly right, an L3 port (non-switchport_ cannot be assigned to a vlan or private-vlan so you need to make the user port a switchport.

New Member

Re: 3750 and LAN/WAN Switching

I have a similar setup with my 3750's, you leave the ports as switchports and because the 3750 is an L3 you simply place them in the same VLAN and give the VLAN an IP address. You will then be routing fine, remember that once you IP address your VLANs on the 3750 you will need an ACL to secure them from each other (if this is necessary) as the 3750 will route between VLANS.

New Member

Re: 3750 and LAN/WAN Switching

Okay, let me make sure I understand this correctly...

I create the L3 ports like I need to (my uplinks to the core router), then create a VLAN (say VLAN_20) with an IP address. Following that, give each user a port and add the port to VLAN_20. Is that right? That seems fairly simple...

I guess my only question now is, what type of ACL do I need to create so that I don't have intra-vlan routing? I do want to secure the users from other users on the switch. Does anyone have some examples I can follow?



Re: 3750 and LAN/WAN Switching

I do want to secure the users from other users on the switch. Does anyone have some examples I can follow?

This sounds you want to do Private-vlan.

The private-VLAN feature addresses two problems that service providers face when using VLANs:

•Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.

•To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.

Using private VLANs addresses the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers. Private VLANs partition a regular VLAN domain into subdomains. A subdomain is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A private VLAN can have multiple VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.

There are two types of secondary VLANs:

•Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.

•Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

•Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

For more info on private VLAN:

New Member

Re: 3750 and LAN/WAN Switching

Hi, if the above solution sounds a little longwinded (personally i found it very informative) then you can simply do as you said and put an ACL on the vlan. You do not put the uplink ports into the vlan, leave them as vlan1, (you are confusing L2 with L3 terminology, remember the 3750 IS a router so it will route your vlan ports to your core router)

You would do this similar to a normal ACL so for this example your vlan is vlan20 and the ip address of this vlan is

The other vlan (you want to stop from coming into vlan 20) is vlan 21 with an ip address of (remember all your clients on each vlan will need an ip address on the vlan subnet with the vlan ip address as their default gateway)

a simple:

access-list 100 deny ip any

access-list 100 permit ip any any

conf t

int vlan 20

access-group 100 out

would do the trick.

Using this path you would only need 1 uplink to the core router

Of course if you already have the 2 uplink ports to the router as you say and you only want your 2 vlan clients to route through that path then the easy way of accomplishing this is to simply do as you would at L2, create your vlan, assign ports to your vlan (including the uplink ports), do not give the vlan an ip address, give your vlan clients the default gateway of the core router interfaces.

Re: 3750 and LAN/WAN Switching

ACL will not stop a device in vlan 20 to not talk to another device in vlan 20 - that's intra-vlan or communication within the same vlan. ACL above will stop communication from subnet to but say wants to communicate to any device in 192.168.1.x, the ACL will not stop. For this, he needs private-vlan and then isolate the ports he does not want talking to each other.

New Member

Re: 3750 and LAN/WAN Switching

I agree, but certainly from my customers needs the norm seems to be each vlan is completely seperate without any communication between them and each member of the same vlan would be able to communicate as you would in a L2 environment. Of course your system will work (i'm certainly not going to argue with a CCIE) but i beleive in not overcomplicating scenario's if there is an easy workaround, if the setup is simple and your objectives are achieved it makes daily admin a doddle.

New Member

Re: 3750 and LAN/WAN Switching

Okay... I've seen a lot of great posts, I really appreciate all of the ideas. Let me clear up a few things real quick, hopefully I can come up with the right way (for my setup) of doing this.

I'm not so much concerned about intra-vlan communication (vlan 20 talking to another device in vlan 20) as I am about inter-vlan talking (vlan 20 talking to vlan 30), I have to make sure that doesn't happen. In reading of the previous posts it doesn't appear that I need to setup Private-VLAN's, so what is the easiest way to drop inter-vlan traffic? Remember, I've got two uplinks to my core router AND I've got OSPF running as well...

One other quick question I thought of this weekend, since we're on the subject of the 3750. I'm also going to need to traffic shape my customers, they'll purchase a 1mb, 2mb, etc.. account, I'm hoping that the 3750 will handle this task. I've done a lot of reading, a lot of looking through this forum and found a lot of great information, I'm just not sure which way to go:

Do I:

1. Setup an Access-List/Access-Group and

police the traffic using a policy map

and class map?

2. Setup a policy-map and use service-policy

on each interface

3. Use the rate-limit command?

I guess my concern is, if the port is about to exceed the set limit, I don't believe I want to drop the traffic exceeding the limit (like some examples have shown), wouldn't I want to reshape it or mark those packets down?

Thanks everyone,