Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
500
Views
0
Helpful
4
Replies

A question about VLANs

raoul2341
Level 1
Level 1

‎02-17-2011 02:56 AM - edited ‎03-06-2019 03:36 PM

Hello Gurus,

This is my question:

I have created a Vlan 20 on a cisco switch. This VLAN will be used for devices that will have IP addresses in the range say 192.168.10.0/24 and I want these devices to communicate amongst each other BUT

1. they cannot communicate with any other VLAN and 2

2. No other VLAN devices can access the new VLAN devices

If I don't create an interface VLAN  for the new VLAN 20, would this do the trick and will any brodcast sent from this VLAN stays within the VLAN?

If I create an interface VLAN, would the following ACL:

Extended IP access list 100

     deny ip any any

interface Vlan20
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in

would this also work and any broadcast stays within the vlan?

Thanks for your help

Raoul

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎02-17-2011 03:04 AM

Hi,

I have created a Vlan 20 on a cisco switch. This VLAN will be used  for devices that will have IP addresses in the range say 192.168.10.0/24  and I want these devices to communicate amongst each other BUT

1. they cannot communicate with any other VLAN and 2

2. No other VLAN devices can access the new VLAN devices

For question 1: if you don't use routing either with an external router or  SVIs for each VLAN then one host in a VLAN

can only communicate with hosts in the same VLAN.

A VLAN is a broadcast domain so broadcasts stay in the same VLAN.

For question 2 you mean in the same VLAN? if so then you can use private VLANs or protected ports or use a VACL.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

IAN WHITMORE
Level 4
Level 4

‎02-17-2011 03:37 AM

The answer to your first question is yes. That will do the trick.

Remember IP is layer 3 so you will effectively block all layer 3 IP (including broadcasts) but not layer 2.

What exactly are your design goals here?

Laters,

Ian

0 Helpful

raoul2341
Level 1
Level 1
In response to IAN WHITMORE

‎02-17-2011 04:52 AM

Many thanks for your replies. It is just that have a new set of application servers that needs to be seperate from any existing VLAN when when connected to the network, it created havock on the network due to broadcast storm.

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to raoul2341

‎02-17-2011 06:27 AM

Well if they are application servers users will need access so you will need routing I assume. But the routing interface is the boundary for broadcasts anyway so if they were in a different VLANs that shouldn't affect the rest of the network unless it sends the CPU to 99%.

Really to stop brodcast storm ACROSS vlans you shouldn't need to do anything at layer 3 because the routing interface will stop it anyway. So it sounds like it should be another problem...are they Microsoft servers with teaming? That can cause layer 2 issues becasue of the virtual MAC address that MS use but there are workarounds/fixes.

More investigation needed.

Regards,
Ian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card