vlans traffic separation

s sa · ‎09-04-2012

Hello i have a SF 300-08 switch

i want to configure 3 ports

port 1 in vlan id 100, port 2 is in vlan id 200, port 3 is connected to a gateway.

i want all the traffic going from port 1 and port 2 to port 3 to be tagged with ther vlan id. so that at port 3 i can separate the traffic of vlan 100 and vlan 200.

also i dont want communication between the 2 vlans.

attached is a picture of the scenario

Tom Watts · ‎09-04-2012

Hi s_sa, you may try to make port 1 and 2 as protected port. Any port which is a protected port can't communicate to any other port but the upstram (port 3 uplink). This is not prohibiting intervlan communication but if your scenario is as simplified as the diagram, then this is a working solution since the port 1 and 2 won't talk to each other but they will both talk to the port 3 subnet and port 3 subnet will talk to both of them.

If that is not sufficient, you need to build an ACL for this and apply to each affected port. Keep in mind, the ACL is INGRESS only. Here is an example-

First navigate to Access Control -> IPV4 Based ACL

Next click the IPv4-Based ACE Table and add a rule, on my example deny 192.168.1.0 to 192.168.2.0. This means all INBOUND traffic where this ACL is applied will block 192.168.1.0 traffic to the 192.168.2.0 but the 192.168.2.0 INBOUND to the 192.168.1.0 is NOT blocked. Also note, the priority. I use increments of 10 so I made add needed rules in between. Please note you will need a permit any, any ACE rule as all access list have an explicit deny all (you can't see)

Lastly, apply this to the desired interface

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/