04-20-2017 02:36 PM - edited 03-08-2019 10:16 AM
Hi all,
I have a question that may seem dumb to the engineers in this forum. However, but if possible do answer....
In below topology i have to make PC0 should not communicate with PC1 and PC2 should not communicate with PC3.
But PC2 should talk to PC1 and PC0 to PC3 respectively (Without using Access list).
We are running OSPF between routers.
04-21-2017 04:41 AM
Hey
out of interest why wouldn't you use an ACL ?
There is another way but its more complicated , private vlans setup
or protected ports as options may be a good choice as they cant talk to each other on same switch but they can speak to same subnet on other switches
http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011101.html
http://blog.ine.com/2008/01/31/understanding-private-vlans/
04-21-2017 01:39 PM
I tried PVLAN but pc1 is pinging pc2 and pc3.....
04-23-2017 06:35 AM
With a routed link on the serial connection running OSPF I am not sure that there is a way to achieve the restriction on which PC communicates with which PC that does not use access lists. So I will repeat Mark's question: why are you excluding access lists from the options?
HTH
Rick
04-23-2017 08:42 PM
Thanks Richard for the reply.
Actually i am using customize router and switches.... :(
So we dont have any option for using ACL....(my bad).
04-23-2017 10:01 PM
if your devices doesn't have ACL option, they hardly have other option like VRF, but if they support VRF you can use it, and separate your network with VRF, or you can use several OSPF for each connection own OSPF
04-24-2017 05:36 AM
As nurbol555 has noted, w/o ACLs, this might be accomplished by having the devices in different routing domains, either using multiple OSPF processes or VRFs. You can then control what device can reach another by what routing information is shared between your routing domains.
04-24-2017 05:46 AM
Joseph suggests techniques that would typically be considered including multiple OSPF processes to separate the traffic. But with a serial link connecting the routers how do you use multiple OSPF processes. For that serial link it can operate in only one OSPF process. And how could we use VRFs on that single routed link?
HTH
Rick
04-25-2017 02:46 AM
Rick, excellent question!
How about using technology that allows multiple IPs across a serial link? GRE tunnels first come to mind. You might also be able to run L2TPv3, MPLS, frame-relay encapsulation, etc.
04-25-2017 04:52 AM
Oh, forgot to mention, another approach would be to place the serial link in its own routing domain. As such, you would redistribute into it all the other routing domains routes, but the other routing domains would only contain "their" routes.
04-25-2017 09:08 PM
Thanks a lot for all your replies...
what if i change serial interface to Ethernet interface.....will in that case there r few options...???
Is it possible to do with VLAN..... i have to segregate the Data traffic with management traffic.
04-26-2017 06:17 AM
Changing the connection between routers to Ethernet may have some interesting possibilities. I am still concerned about what kind of devices these are and what capabilities do they have? If they do not have the ability to do access lists can we be sure that they have capabilities to do vlan subinterfaces and to run multiple instances of a routing protocol?
If these were normal routers then you might be able to configure two vlan subinterfaces on the connection between the routers. Then you would run an instance of OSPF on the vlans where PC2 and PC1 are and on one of the subinterface vlans on the router (perhaps ospf 21) and you would run another instance of OSPF on the vlans where PC3 and PC0 are and the other vlan subinterface (perhaps ospf30). That would allow the communication that you want.
HTH
Rick
04-27-2017 03:51 PM
Richard.... yes we dont have option of acl's....at-least not now....
but what you have mention i can try that and see if it work for me..... please if possible can you provide me some more information or example to use above information practically.....
It will be really great help....!!!!
Thank you so much..... for all the replies....
04-23-2017 11:24 PM
Switches have the ability to do pvlans but not acls ? What exactly are these devices ?
you don't have many options left as you can't route filter in same lsdb in ospf at layer3 , can you change the igp and use something else or use statics with bgp you could filter then at router level?
04-24-2017 05:43 AM
It seems to me that private vlans might be a solution for controlling what device talks to what device for traffic on a switch. But I see the major issue being what do you do to control traffic that is sent over the routed link on the serial connecting the two. How would private vlan interact with the routed link without using access lists.
I agree that this seems a very strange situation and we need the original poster to clarify what these switches and routers really are.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide