I have a Cisco SG300 switch configured in L3 mode. I configured two VLANs and everything seems to be working fine. The switch adds an IPv4 directly connected route the moment I add an IP address to the VLAN. The problem is by default systems in these two VLANs are able to communicate with each other through these directly connected routes which I'm not able to remove. While I can block them using access lists, I want the default behavior to block communication between VLANs until I explicitly configure otherwise. How do I achieve this?
PVLANs provide Layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:
Promiscuous A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
Community Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
This is just as it suppose to be as layer 3 switch is not exactly the same as firewall. All directly connected interfaces having such a route entry.
There are several ways to implement it. It all really depends on your current and future network topology and very much on the traffic pattern. I would really advise you to call Cisco Small Business Support team and work with one of the engineers directly:
Article ID:4006 Configure Secure Shell (SSH) Server Authentication
Settings on a Switch Objective Secure Shell (SSH) is a protocol that
provides a secure remote connection to specific network devices. This
connection provides functionality that is similar...
Article ID:4982 Access an SMB Switch CLI using SSH or Telnet Objective
The Cisco Small Business Managed Switches can be remotely accessed and
configured through the Command Line Interface (CLI). Accessing the CLI
allows commands to be entered in a termina...
Article ID:5735 Convert Configuration Files using the Configuration
Migration Tool on Cisco Small Business Switches Introduction The Cisco
Configuration Migration Tool allows you to convert configuration files
from previous generation of Cisco Small Busin...