Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
0
Helpful
2
Replies

Cisco C9200L allow certain IP to access PVLAN

Go to solution
UltraTechSupport168
Level 1
Level 1

‎04-29-2021 10:36 PM - edited ‎04-29-2021 10:38 PM

Capture.PNG

 

i'm not sure if above diagram can works. 3 Switches is Cisco C9200L

Our network is 192.168.1.0/24. Both workstations and Server cannot change IP address. All server connected to one switch, and a single uplink to Cisco C9200.

 I'm aware that PVLAN allow same subnet but different VLAN, so there is 2 broadcast domain.

Q1: The promiscuous trunk port can join the MLAG LACP as above diagram ? 

Q2: I want to allow certain IP from VLAN10 able to access server farm. Which mode should I use for PVLAN, communication or isolate? 

Q3: Firewall need to support PVLAN and  promiscuous trunk port ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎04-30-2021 01:36 AM

Hello
FYI an isolated vlan/port won’t be able to communicate with any other isolated port /vlan only the promiscuous port/primary vlan can do this,

By default pvlan community vlans/ports can communicate with other hosts in the same community vlan, however if you wish community vlans to be able to reach another community  vlan then they both need to be mapped to the pvlan primary vlan routed interface.

However, as you want to allow certain hosts from within VLAN10 able to access server farm in the same vlan.then this can be accomplished this by using a vlan access-list without needing to implementing pvlans.


How to deny two hosts from comminating with each other within the same vlan
Example –
access-list 100 permit host 192.168.1.x host 192.168..y
access-list 100 permit host 192.168.1.y host 192.168..x

vlan acess-map vlan10
match ip address 100
action drop
vlan access-map vlan10 99

vlan filter vlan10 vlan-list 10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
2 Replies 2

Go to solution
paul driver
VIP
VIP

‎04-30-2021 01:36 AM

Hello
FYI an isolated vlan/port won’t be able to communicate with any other isolated port /vlan only the promiscuous port/primary vlan can do this,

By default pvlan community vlans/ports can communicate with other hosts in the same community vlan, however if you wish community vlans to be able to reach another community  vlan then they both need to be mapped to the pvlan primary vlan routed interface.

However, as you want to allow certain hosts from within VLAN10 able to access server farm in the same vlan.then this can be accomplished this by using a vlan access-list without needing to implementing pvlans.


How to deny two hosts from comminating with each other within the same vlan
Example –
access-list 100 permit host 192.168.1.x host 192.168..y
access-list 100 permit host 192.168.1.y host 192.168..x

vlan acess-map vlan10
match ip address 100
action drop
vlan access-map vlan10 99

vlan filter vlan10 vlan-list 10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
UltraTechSupport168
Level 1
Level 1
In response to paul driver

‎04-30-2021 07:38 PM

Thank you Paul

0 Helpful
Customers Also Viewed These Support Documents