I have a situation where I have ethernet traffic from two separate networks/ip subnets (Subnet A and Subnet B) on a single ethernet connection. I have the need to separate the traffic into two separate networks and two isolated broadcast domains. I thought this could easily be accomplished with a Cisco 300 Layer 3 switch, but I can't get it to work correctly.
I have the switch set to IP routing mode. I have three VLANs configured. VLAN 1 sees the combined Layer 2 & 3 ethernet traffic for both subnet A and subnet B. VLAN 10 has an IP address assigned from subnet A and is the gateway for devices within that subnet. VLAN 20 has an IP address assigned from subnet B and is the gateway for devices within that subnet. IP proxy arp is on by default and should be active.
Devices in VLAN 10 can ping devices in VLAN 20 and devices in VLAN 20 can ping devices in VLAN 10. This appears to be working only because the switch is the default gateway for those components.
No devices or servers in VLAN 1 can ping VLAN 10 or VLAN 20 components, and VLAN 10 and VLAN 20 components can not ping VLAN 1. I analyzed the ARP traffic on VLAN 1 and the switch is not responding with its own MAC address for requests for IPs for active devices connected to VLAN 10 or VLAN 20. The Cisco documentation says that the device should be responding and acting as a router.
I can not physically connect everthing on VLAN 1 directly to the switch, I can not make the switch the default gaeway for all devices on VLAN 1, and I can not create static routes directly to the VLAN 1 switch IP address for all devices that are part of VLAN 1, so I am stuck. I need the switch to let VLAN 1 components automatically know what is connected to VLAN 10 and VLAN 20.
I am willing to scrap this approach entirely if there is an easier way to do this. Put simply, I have a few devices in Subnet A that need to be isolated from Layer 2 & 3 traffic destined for a few devices in Subnet B, but I can't reconfigure my entire network to create these isolated broadcast domains.
I hope I understand this correctly. Here is an example:
Uknown device / ethernet connection
SF300 switch with 3 VLAN
1 - 192.168.1.254/24
10 - 192.168.2.254/24
20 - 192.168.3.254/24
The link between the "unknown device" needs to be configured as a trunk, likely 1u, 10t, 20t.
The default gateway for each device in each subnet is respective, meaning a device connecting to vlan 20, the gateway is 192.168.3.254, while a device in vlan 10, the gateway would be 192.168.2.254.
The switch would be configured with a global default gateway pointing to the "unknown device".
Now, the part that may be difficult. There are a few ideas we can do.
The first thing, you may be able to use protected port. If you have protected port enable on an interface, this device cannot communicate to other devices which are within a protected port. A device that is not in a protected port, can communicate to the device in the protected port.
The second approach which is more exact, you can make a few access lists to restrict the specific host IP to the specific destinations you have in mind then simply apply the ACL to the interfaces you don't want to be accessed by that host.
I hope I understand everything clearly and my example is okay for you.
Please mark answered for helpful posts
Thank you for the response. Let me be more precise using your example. VLAN 1 has ethernet traffic for both 192.168.1.0/24 and 192.168.2.0/24. VLAN 10 has a few devices with IP addresses within the 192.168.1.0/24 subnet. VLAN 20 has a few devices with IP addresses within the 192.168.2.0/24 subnet. I do not want Layer 2 network traffic between VLAN 1 and VLAN 10 to be visible on VLAN 20 and I do not want Layer 2 network traffic between VLAN 1 and VLAN 20 to be visible on VLAN 10.
I do not know whether 4 VLANS would be a better approach to try to tackle this problem.