Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1133
Views
5
Helpful
8
Replies

Fully Isolated VLAN

Go to solution
Arashai
Level 1
Level 1

‎02-14-2018 11:16 AM - edited ‎03-08-2019 01:51 PM

Hi all, first time poster, long time lurker.

 

I have two vlans on a L3 switch (2960-XR w/IP Lite), one (vlan 10 - SVI: 10.1.1.250/24) that needs to be able to connect to others via EIGRP over VPLS, and one (vlan 20 - SVI: 10.2.2.250/24) that needs to be fully isolated because the IP range used is duplicated on the other switches as well and could cause duplicate IP issues.  Here is what I've tried:

 

  1. No IP on isolated SVI: This effectively prevents the subnet from showing in the routing table, but the software guys want to be able to ping the "gateway"to verify connectivity.
  2. Use loopback with ip 10.2.2.250 instead: Tested, but am unable to ping loopback from vlan 20 access port.
  3. VRF: 2960 does not support vrf =(
  4. Put a deny any any access list in place: prevents L3 traffic, but subnet still appears in routing table.  Also, see 5. 
  5. Simply don't advertise that subnet: the nature of the infrastructure requires a layer 2 trunk to the VPLS using SVIs rather than just having a 'no switchport' routed interface.  I'm a little paranoid that vlan 20 will leak out somehow, even if the trunk only allows vlan 10.  

Thanks in advance for your time.

 

~Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-14-2018 11:40 AM - edited ‎02-14-2018 11:40 AM

Without VRF support you are going to have to just make sure EIGRP does not advertise the subnet. 

 

Or instead of having SVI have a host with the SVI IP the developers could use to test connectivity as they are not routing out of the vlan anyway. 

 

Perhaps someone else may be able to suggest something. 

 

Jon

View solution in original post

8 Replies 8

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-14-2018 11:40 AM - edited ‎02-14-2018 11:40 AM

Without VRF support you are going to have to just make sure EIGRP does not advertise the subnet. 

 

Or instead of having SVI have a host with the SVI IP the developers could use to test connectivity as they are not routing out of the vlan anyway. 

 

Perhaps someone else may be able to suggest something. 

 

Jon

Go to solution
Arashai
Level 1
Level 1
In response to Jon Marshall

‎02-16-2018 08:06 AM

Thanks for the suggestion, Jon. I will take this path, as they do have a server on vlan 20 they can use to test.
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎02-14-2018 11:45 AM

Hello,

 

just to clarify what you are trying to accomplish: the Vlan should not be reachable from anywhere including from the same switch ?

0 Helpful

Go to solution
Arashai
Level 1
Level 1
In response to Georg Pauwen

‎02-14-2018 12:06 PM

Hi Georg,

Correct. Ideally, I'd like to see vlan 20 not be reachable from even other interfaces in the same switch. No traffic in or out.
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Arashai

‎02-14-2018 01:45 PM

Hello,

 

so you have tried:

 

access-list 101 deny ip any any

 

interface Vlan20
ip access-group 101 in
ip access-group 101 out

 

What is the problem with the route still appearing in the routing table ? In order from EIGRP to send/receive it, you could use a distribute list. Is that an option ?

0 Helpful

Go to solution
Arashai
Level 1
Level 1
In response to Georg Pauwen

‎02-14-2018 02:05 PM

Hi Georg,

Yes, I have considered that approach.

My concern is that there are dozens of other L3 switches in the network all carrying the same IP range and I'm trying to mitigate the risk of duplicate IPs being propagated throughout. I know that using a distribute list or just not advertising that network would potentially solve that problem, but I was hoping that a cleaner and perhaps more robust solution could be found.

~Chris
0 Helpful

Go to solution
iashaan55
Level 1
Level 1

‎02-15-2018 01:00 PM

Hello,

Where is the software guys located? In VLAN 20 or elsewhere?

 

Ashaan

0 Helpful

Go to solution
Arashai
Level 1
Level 1
In response to iashaan55

‎02-16-2018 08:04 AM

Hi Ashaan,

Yes, their equipment is located within vlan 20.

~Chris
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card