Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Routing between certain *sets* of VLANs

Hi, we are setting up a datacenter with 4 6500 switches, and a bunch of 3500 switches. I think we want a rather unusual setup, I need some help here!

SITUATION

---------

We separated windows, unix and vms servers by using VLAN 110, 120 and 130. There is a VLAN50 from which we can manage servers in all three sets. We use InterVLANrouting to enable communication.

GOAL

----

What we plan to do, is to maintain this platform-separation, but to create two other sets of VLANs which contain servers in a certain ' stage' of development.

Stage A - VLAN 110/120/130

Stage B - VLAN 210/220/230

Stage C - VLAN 310/320/330

All stages *must* be separated (from OSI layer 2 and up).

HOW?

----

Question:

1) How can I route within sets, but not communicate outside sets?

2) Can I maintain one single Management VLAN50? Or do I need a 150-250-350???

Thanks in advance for your advise!!!

Re. Mark

3 REPLIES

Re: Routing between certain *sets* of VLANs

Hello Mark,

I suppose you need to separate the sets from eachother and that they all can communicate with the vlan50?

Achieving this will require the use of access-lists. This also implies that you have a clever setup for your IP plan or your access lists will become very long.

I would consider assigning a range for each Stage like this:

A 10.1.110.0 up to 10.1.130.0

B 10.2.110.0 up to 10.2.130.0

C 10.3.110.0 up to 10.3.130.0

Each stage now consists of three /24 subnets.

With this kind of setup you could filter on source adresses using an access-list out.

Regards,

Leo

New Member

Re: Routing between certain *sets* of VLANs

Hi Leo,

Unfortunately that is not possible. The situation can / will arise that all three sets will use the same IP numberplan (in that case, one mgt VLAN50 will not be sufficient; think of an extension of all three sets with an own mgt VLAN).

This means I want separation based on the VLAN traffic is coming from. I searched for ACL's - they can filter on IP, IPX, mac address, etc. etc. but I cannot find a way to have them filtering the 'originating VLAN' of traffic...

Have any clue?

My worse case solution is to isolate the 6500's and patching all equipment cabling to another 6500 - and back again - which is quite impractical and not flexible.

Re. Mark

Anonymous
N/A

Re: Routing between certain *sets* of VLANs

Have you looked at using private vlans for this? I would suggest from what you requesting that you configure this with private vlans and vACL's. Here is a link about private vlans.

http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

This link is how to configure isolated vlans.

http://www.cisco.com/en/US/customer/tech/tk389/tk689/technologies_configuration_example09186a008017acad.shtml

86
Views
0
Helpful
3
Replies
CreatePlease to create content