Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1249
Views
0
Helpful
3
Replies

4948 isolated vlan with no routing

Go to solution
nate faulds
Level 1
Level 1

‎12-20-2020 10:49 PM

I'm not sure if the tital is correct but essentially I have my 4948 as a core switch which has a layer 3 interface to my router and all of that works great HOWEVER. I need to configure a way to have 1 vlan on my core and the 2960s trunked to it to have an isolated and non routed vlan so essentially function only as a layer 2 to layer 2 so it doesn't try to go out my default route.

 

I'm trying to do this because I recently rewired some things to my crawl space and I have a third switch for all of my wall outlet communication that was on a network directly hanging off of my router so basically I need to make a non routed isolated vlan on both my 4948 and 2960s so I can go from router port to assigned vlan access port on my core to get to the third switch hanging off of my 2960s also as an access port. I have DHCP running on the router and some other things so migrating to a different subnet and config isn't on the table at the moment.

 

Basically right now I have vlan 99 trunked from my core to my idf (2960s) and the trunk works fine but no communication is happening from devices attached to the access ports. Anything additional I should configure on either switch to make this work? I have my vlan 99 setup as isolated private vlan.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
pieterh
VIP
VIP

‎12-21-2020 03:17 AM

- create a separate normal VLAN
- do NOT configure an IP-address (SVI) on this vlan
 then this vlan has no L3 connectivity with other vlans (even when it traverses the trunk)
=> thats all ! 

when you use private vlans then your configuration is more complicated,
a single private vlan is not enough, 'NB! private vlans are unidirectional when you use with an uplink !
- you need a private vlan for communication TO the uplink
- and another private vlan FROM the uplink down to the ports
- and combine these vlans to work together to provide two-way communication

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-21-2020 07:25 AM

Pieterh provides the solution, i.e. just don't have a SVI for the separate VLAN so your core L3 switch will not be able to route its traffic, anywhere.

Other solutions, that would still permit routing, but control where this "isolated" VLAN traffic might flow to/from include having ACL(s) on the SVI that blocks traffic to/from disallowed networks.  (With ACLs, you can also be selective in the "kinds" of traffic permitted, or not.)  Or, setup your "isolated" VLAN's SVI to be in a different VRF (if supported on your 4948) from your other VLAN(s).  The advantage of the VRF, it allows a "separate" L3 domain (much like VLANs provide "separate" L2 domains), so you could have multiple VLANs in it, again, by default, "isolated" from you other VLAN(s).  BTW, it's possible to pass traffic between VRFs, but something you have to work to achieve.

BTW, private VLANs are generally used to block traffic between "normal" hosts within the same VLAN.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
pieterh
VIP
VIP

‎12-21-2020 03:17 AM

- create a separate normal VLAN
- do NOT configure an IP-address (SVI) on this vlan
 then this vlan has no L3 connectivity with other vlans (even when it traverses the trunk)
=> thats all ! 

when you use private vlans then your configuration is more complicated,
a single private vlan is not enough, 'NB! private vlans are unidirectional when you use with an uplink !
- you need a private vlan for communication TO the uplink
- and another private vlan FROM the uplink down to the ports
- and combine these vlans to work together to provide two-way communication

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-21-2020 07:25 AM

Pieterh provides the solution, i.e. just don't have a SVI for the separate VLAN so your core L3 switch will not be able to route its traffic, anywhere.

Other solutions, that would still permit routing, but control where this "isolated" VLAN traffic might flow to/from include having ACL(s) on the SVI that blocks traffic to/from disallowed networks.  (With ACLs, you can also be selective in the "kinds" of traffic permitted, or not.)  Or, setup your "isolated" VLAN's SVI to be in a different VRF (if supported on your 4948) from your other VLAN(s).  The advantage of the VRF, it allows a "separate" L3 domain (much like VLANs provide "separate" L2 domains), so you could have multiple VLANs in it, again, by default, "isolated" from you other VLAN(s).  BTW, it's possible to pass traffic between VRFs, but something you have to work to achieve.

BTW, private VLANs are generally used to block traffic between "normal" hosts within the same VLAN.

0 Helpful

Go to solution
nate faulds
Level 1
Level 1
In response to Joseph W. Doherty

‎12-21-2020 05:37 PM

Okay perfect that was my original config and still is minus the private vlan option in the vlan database and it doesn't seem to be working BUT I think I found the actual issue and that's totally on me as well lol.

 

I forgot to make a crossover for the switch hanging off of my IDF switch which is causing the packets to drop at the router since it's not actually active on the vlan. lol slight embarrassment but thank you for the help on this!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card