As per my attached diagram, I have three switches (Cat 3560-E and couple of Cat 2960-G)
Each PC is on different vlan
PC -1 on vlan 100
PC-2 on vlan 200
I need to connect PC-1 and PC-2 to the server. Server has no fixed vlan and can be changed.
1) can’t change PCs vlan assignment.
2) can’t add 2nd NIC in the server.
I’ve tried private vlan but it requires separate physical ports for host and/or community vlan and somehow it did not work. I could be wrong
Trunking using dot1q enabled on port 2 on all switches and connection works fine (server to PC-1 or server to PC-2) by enabling switchport access vlan 100 or switchport access vlan 200.
However I need port 5 on switch-1 to respond to vlan 100 and 200.
Your help is appreciated.
What exactly are you trying to accomplish here? If we step back and go a step above your specific question, what is your actual requirement? Do you require that all three machines be on the same subnet, but PC1 and PC2 not be able to communicate with each other? -Ed
thanks Ed for the quick response. the requirement is bi-directional connections between (server from/to PC-1) and server from/to PC-2. no need for PC-1 to communicate with PC-2.
hope that make it clear or at least a bit.
Can your server interpret the VLAN tagging? if yes you can also configure as trunk the interface between the server and the switch.
Hope that helps
That helps a bit, but more specifically, are you requiring that PC1 and PC2 not be able to communicate?
This is an interesting situation which is why I was asking about the exact requirements. Can you also supply the details (at least box diagram) of the equipment in the "LAN" cloud in your diagram?
Private VLANs are not available (as of my last check) on the 2960 platform. They are available on the 3560 platform, but without knowing the rest of your design that may create restrictions on other devices in your network that are unacceptable. The 2960 platform incorporates the "protected port" ("PVLAN edge") feature, but this is only locally significant to the device and would not apply here where the affected ports are on different devices.
I see you have trunks in the diagram, but are end-to-end VLANs a requirement in your network? What is the reason for requiring PC1 to be on VLAN 100 and PC2 to be on VLAN 200? I just want to understand the full set of requirements that you must work within.
Do you understand routing? For which a router will send traffic no matter where it come from, to where it has to go?
In your case you have a layer 3 switch, that does that at wire speed.
It only need to be configured. If you do not have expereince and/or certifications, recommend you give the job to a professional.
I would like to keep the solution at layer 3 switch, injecting router would be a last option hence this posting getting feed back from professionals to express their ideas and guideline.
i tried the following:
1) switchport multi vlan vlan-list will solve this but the command is no longer avaliable on newer cat switches.
2) switchport voice vlan...but that doesn't work.
Why don't you try to implement the intervlan routing,and use an accesslist
to block the traffic between the pcs
I agree with Paolo and Arun, that probably the best solution here is to implement inter vlan routing on SW-1 and apply ACL that PC1 and PC2 couldn't communicate.
But take care, if you choose this solution, your switch (3560) must have at least IP base licence installed on it.