topic It seems to me that private in Switching

2 network connected to 1 switch

mohdyasir.02 — Fri, 08 Mar 2019 18:16:52 GMT

Hi all,

I have a question that may seem dumb to the engineers in this forum. However, but if possible do answer....

In below topology i have to make PC0 should not communicate with PC1 and PC2 should not communicate with PC3.

But PC2 should talk to PC1 and PC0 to PC3 respectively (Without using Access list).

We are running OSPF between routers.

Hey

Mark Malone — Fri, 21 Apr 2017 11:41:38 GMT

Hey

out of interest why wouldn't you use an ACL ?

There is another way but its more complicated , private vlans setup

or protected ports as options may be a good choice as they cant talk to each other on same switch but they can speak to same subnet on other switches

http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011101.html

http://blog.ine.com/2008/01/31/understanding-private-vlans/

I tried PVLAN but pc1 is

mohdyasir.02 — Fri, 21 Apr 2017 20:39:15 GMT

I tried PVLAN but pc1 is pinging pc2 and pc3.....

With a routed link on the

Richard Burts — Sun, 23 Apr 2017 13:35:14 GMT

With a routed link on the serial connection running OSPF I am not sure that there is a way to achieve the restriction on which PC communicates with which PC that does not use access lists. So I will repeat Mark's question: why are you excluding access lists from the options?

HTH

Rick

Thanks Richard for the reply.

mohdyasir.02 — Mon, 24 Apr 2017 03:42:11 GMT

Thanks Richard for the reply.

Actually i am using customize router and switches.... 😞

So we dont have any option for using ACL....(my bad).

if your devices doesn't have

nurbol555 — Mon, 24 Apr 2017 05:01:50 GMT

if your devices doesn't have ACL option, they hardly have other option like VRF, but if they support VRF you can use it, and separate your network with VRF, or you can use several OSPF for each connection own OSPF

Switches have the ability to

Mark Malone — Mon, 24 Apr 2017 06:24:54 GMT

Switches have the ability to do pvlans but not acls ? What exactly are these devices ?

you don't have many options left as you can't route filter in same lsdb in ospf at layer3 , can you change the igp and use something else or use statics with bgp you could filter then at router level?

As nurbol555 has noted, w/o

Joseph W. Doherty — Mon, 24 Apr 2017 12:36:15 GMT

As nurbol555 has noted, w/o ACLs, this might be accomplished by having the devices in different routing domains, either using multiple OSPF processes or VRFs. You can then control what device can reach another by what routing information is shared between your routing domains.

It seems to me that private

Richard Burts — Mon, 24 Apr 2017 12:43:05 GMT

It seems to me that private vlans might be a solution for controlling what device talks to what device for traffic on a switch. But I see the major issue being what do you do to control traffic that is sent over the routed link on the serial connecting the two. How would private vlan interact with the routed link without using access lists.

I agree that this seems a very strange situation and we need the original poster to clarify what these switches and routers really are.

HTH

Rick

Joseph suggests techniques

Richard Burts — Mon, 24 Apr 2017 12:46:00 GMT

Joseph suggests techniques that would typically be considered including multiple OSPF processes to separate the traffic. But with a serial link connecting the routers how do you use multiple OSPF processes. For that serial link it can operate in only one OSPF process. And how could we use VRFs on that single routed link?

HTH

Rick

Rick, excellent question!

Joseph W. Doherty — Tue, 25 Apr 2017 09:46:40 GMT

Rick, excellent question!

How about using technology that allows multiple IPs across a serial link? GRE tunnels first come to mind. You might also be able to run L2TPv3, MPLS, frame-relay encapsulation, etc.

Oh, forgot to mention,

Joseph W. Doherty — Tue, 25 Apr 2017 11:52:40 GMT

Oh, forgot to mention, another approach would be to place the serial link in its own routing domain. As such, you would redistribute into it all the other routing domains routes, but the other routing domains would only contain "their" routes.

Thanks a lot for all your

mohdyasir.02 — Wed, 26 Apr 2017 04:08:39 GMT

Thanks a lot for all your replies...

what if i change serial interface to Ethernet interface.....will in that case there r few options...???

Is it possible to do with VLAN..... i have to segregate the Data traffic with management traffic.

Changing the connection

Richard Burts — Wed, 26 Apr 2017 13:17:19 GMT

Changing the connection between routers to Ethernet may have some interesting possibilities. I am still concerned about what kind of devices these are and what capabilities do they have? If they do not have the ability to do access lists can we be sure that they have capabilities to do vlan subinterfaces and to run multiple instances of a routing protocol?

If these were normal routers then you might be able to configure two vlan subinterfaces on the connection between the routers. Then you would run an instance of OSPF on the vlans where PC2 and PC1 are and on one of the subinterface vlans on the router (perhaps ospf 21) and you would run another instance of OSPF on the vlans where PC3 and PC0 are and the other vlan subinterface (perhaps ospf30). That would allow the communication that you want.

HTH

Rick

Richard.... yes we dont have

mohdyasir.02 — Thu, 27 Apr 2017 22:51:14 GMT

Richard.... yes we dont have option of acl's....at-least not now....

but what you have mention i can try that and see if it work for me..... please if possible can you provide me some more information or example to use above information practically.....

It will be really great help....!!!!

Thank you so much..... for all the replies....