02-17-2011 02:56 AM - edited 03-06-2019 03:36 PM
Hello Gurus,
This is my question:
I have created a Vlan 20 on a cisco switch. This VLAN will be used for devices that will have IP addresses in the range say 192.168.10.0/24 and I want these devices to communicate amongst each other BUT
1. they cannot communicate with any other VLAN and 2
2. No other VLAN devices can access the new VLAN devices
If I don't create an interface VLAN for the new VLAN 20, would this do the trick and will any brodcast sent from this VLAN stays within the VLAN?
If I create an interface VLAN, would the following ACL:
Extended IP access list 100
deny ip any any
interface Vlan20
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
would this also work and any broadcast stays within the vlan?
Thanks for your help
Raoul
02-17-2011 03:04 AM
Hi,
I have created a Vlan 20 on a cisco switch. This VLAN will be used for devices that will have IP addresses in the range say 192.168.10.0/24 and I want these devices to communicate amongst each other BUT
1. they cannot communicate with any other VLAN and 2
2. No other VLAN devices can access the new VLAN devices
For question 1: if you don't use routing either with an external router or SVIs for each VLAN then one host in a VLAN
can only communicate with hosts in the same VLAN.
A VLAN is a broadcast domain so broadcasts stay in the same VLAN.
For question 2 you mean in the same VLAN? if so then you can use private VLANs or protected ports or use a VACL.
Regards.
Alain
02-17-2011 03:37 AM
The answer to your first question is yes. That will do the trick.
Remember IP is layer 3 so you will effectively block all layer 3 IP (including broadcasts) but not layer 2.
What exactly are your design goals here?
Laters,
Ian
02-17-2011 04:52 AM
Many thanks for your replies. It is just that have a new set of application servers that needs to be seperate from any existing VLAN when when connected to the network, it created havock on the network due to broadcast storm.
02-17-2011 06:27 AM
Well if they are application servers users will need access so you will need routing I assume. But the routing interface is the boundary for broadcasts anyway so if they were in a different VLANs that shouldn't affect the rest of the network unless it sends the CPU to 99%.
Really to stop brodcast storm ACROSS vlans you shouldn't need to do anything at layer 3 because the routing interface will stop it anyway. So it sounds like it should be another problem...are they Microsoft servers with teaming? That can cause layer 2 issues becasue of the virtual MAC address that MS use but there are workarounds/fixes.
More investigation needed.
Regards,
Ian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide