Routing between certain *sets* of VLANs

Hi, we are setting up a datacenter with 4 6500 switches, and a bunch of 3500 switches. I think we want a rather unusual setup, I need some help here!



We separated windows, unix and vms servers by using VLAN 110, 120 and 130. There is a VLAN50 from which we can manage servers in all three sets. We use InterVLANrouting to enable communication.



What we plan to do, is to maintain this platform-separation, but to create two other sets of VLANs which contain servers in a certain ' stage' of development.

Stage A - VLAN 110/120/130

Stage B - VLAN 210/220/230

Stage C - VLAN 310/320/330

All stages *must* be separated (from OSI layer 2 and up).




1) How can I route within sets, but not communicate outside sets?

2) Can I maintain one single Management VLAN50? Or do I need a 150-250-350???

Thanks in advance for your advise!!!

Re: Routing between certain *sets* of VLANs

Hello Mark,

I suppose you need to separate the sets from eachother and that they all can communicate with the vlan50?

Achieving this will require the use of access-lists. This also implies that you have a clever setup for your IP plan or your access lists will become very long.

I would consider assigning a range for each Stage like this:

A up to

B up to

C up to

Each stage now consists of three /24 subnets.

With this kind of setup you could filter on source adresses using an access-list out.



Re: Routing between certain *sets* of VLANs

Hi Leo,

Unfortunately that is not possible. The situation can / will arise that all three sets will use the same IP numberplan (in that case, one mgt VLAN50 will not be sufficient; think of an extension of all three sets with an own mgt VLAN).

This means I want separation based on the VLAN traffic is coming from. I searched for ACL's - they can filter on IP, IPX, mac address, etc. etc. but I cannot find a way to have them filtering the 'originating VLAN' of traffic...

Have any clue?

My worse case solution is to isolate the 6500's and patching all equipment cabling to another 6500 - and back again - which is quite impractical and not flexible.

Re: Routing between certain *sets* of VLANs

Have you looked at using private vlans for this? I would suggest from what you requesting that you configure this with private vlans and vACL's. Here is a link about private vlans.

This link is how to configure isolated vlans.

