Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco SG300 blocking inter-VLAN traffic

I have a Cisco SG300 switch configured in L3 mode. I configured two VLANs and everything seems to be working fine. The switch adds an IPv4 directly connected route the moment I add an IP address to the VLAN. The problem is by default systems in these two VLANs are able to communicate with each other through these directly connected routes which I'm not able to remove. While I can block them using access lists, I want the default behavior to block communication between VLANs until I explicitly configure otherwise. How do I achieve this?

4 REPLIES
New Member

I went looking for an answer

I went looking for an answer to the same a question a while back

To my knowledge, the only way is to use ACL's

 

Also something else to be aware of,

the use of ACL's is the only way to prevent access to the mgmt interfaces

The mgmt intefaces are exposed to each IP assinged an interface

 

 

New Member

There is another possible way

There is another possible way, now that Private VLAN was added to the newest firmware, 1.4.0.88

Prior to this, all we had was PVE - Private VLAN Edge (aka Protected Port)

http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/release_notes/Sx300_Series_Switches_1_4_0_x.pdf

 

Here is a good article on the two features

Comparing PVLAN to PVLAN Edge

http://www.packetu.com/2012/10/23/comparing-pvlan-to-pvlan-edge/

 

Here is a follow up article focues on using it in a L3 scenario

Understanding the PVLAN Promiscuous Trunk Feature for Routing on a Stick

http://www.packetu.com/2012/12/18/understanding-the-pvlan-promiscuous-trunk-feature-for-routing-on-a-stick/

 

New Member

After playing with the new

After playing with the new firmware, 1.4.0.88, in L3 mode

It doesnt look like the PVLAN is going to do what you want

 

Here is a Cisco artcile on the topic

Private VLANs (PVLANs) - Promiscuous, Isolated, Community

http://www.cisco.com/c/en/us/tech/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/index.html

PVLANs provide Layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

  • Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
  • Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
Cisco Employee

Hi,This is just as it suppose

Hi,

This is just as it suppose to be as layer 3 switch is not exactly the same as firewall.  All directly connected interfaces having such a route entry.

There are several ways to implement it. It all really depends on your current and future network topology and very much on the traffic pattern. I would really advise you to call Cisco Small Business Support team and work with one of the engineers directly:

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards

Aleksandra

994
Views
0
Helpful
4
Replies
CreatePlease to create content