08-17-2014 10:11 AM
I have a Cisco SG300 switch configured in L3 mode. I configured two VLANs and everything seems to be working fine. The switch adds an IPv4 directly connected route the moment I add an IP address to the VLAN. The problem is by default systems in these two VLANs are able to communicate with each other through these directly connected routes which I'm not able to remove. While I can block them using access lists, I want the default behavior to block communication between VLANs until I explicitly configure otherwise. How do I achieve this?
08-18-2014 11:22 AM
I went looking for an answer to the same a question a while back
To my knowledge, the only way is to use ACL's
Also something else to be aware of,
the use of ACL's is the only way to prevent access to the mgmt interfaces
The mgmt intefaces are exposed to each IP assinged an interface
08-18-2014 07:31 PM
There is another possible way, now that Private VLAN was added to the newest firmware, 1.4.0.88
Prior to this, all we had was PVE - Private VLAN Edge (aka Protected Port)
Here is a good article on the two features
Comparing PVLAN to PVLAN Edge
http://www.packetu.com/2012/10/23/comparing-pvlan-to-pvlan-edge/
Here is a follow up article focues on using it in a L3 scenario
Understanding the PVLAN Promiscuous Trunk Feature for Routing on a Stick
08-19-2014 08:35 AM
After playing with the new firmware, 1.4.0.88, in L3 mode
It doesnt look like the PVLAN is going to do what you want
Here is a Cisco artcile on the topic
Private VLANs (PVLANs) - Promiscuous, Isolated, Community
PVLANs provide Layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:
08-21-2014 10:47 PM
Hi,
This is just as it suppose to be as layer 3 switch is not exactly the same as firewall. All directly connected interfaces having such a route entry.
There are several ways to implement it. It all really depends on your current and future network topology and very much on the traffic pattern. I would really advise you to call Cisco Small Business Support team and work with one of the engineers directly:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards
Aleksandra
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide