Solved: interface vlan network separation

chaname · ‎01-27-2023

As shown in the figure, three networks are configured.
I used the no ip routing command to prevent the 3 networks from communicating with each other.
However, I checked that pc1 communicates with 10.0.20.1 or 10.0.30.1, but communication with the client pc(x.x.x.2) is not possible.

What I want to do is to configure vlan 10 and vlan20 to communicate with each other and not communicate with vlan 30.
how can i do this?

~Saj~ · ‎01-27-2023

I see options to archive this use case.

1. Apply an ACL to Allow/Deny Traffic on the specified VLANs. ( eg: VLAN 10 allowed to VLAN 20 Deny to VLAN 30)

2. Use Private VLANs. VLAN 10 and 20 to be Community VLANs and VLAN 30 to be Isolated. https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/pvlans.html

View solution in original post

Joseph W. Doherty · ‎01-27-2023

"However, I checked that pc1 communicates with 10.0.20.1 or 10.0.30.1, but communication with the client pc(x.x.x.2) is not possible."

This because, I believe, all those .1 IPs are on the L3 switch.

"What I want to do is to configure vlan 10 and vlan20 to communicate with each other and not communicate with vlan 30.
how can i do this?"

As others have already noted, might be done with ACLs.

A possible alternative, if L3 switch supports VRF (including -Lite variant), place 10.0.30.0/24 network interface into a different VRF, re-enable routing.

10.0.10.0/24 and 10.0.20.0/24 should be able to fully intercommunicate, neither with 10.0.30.0/24. Further, you should discover pc1 can no longer communicate with 10.0.30.1.

View solution in original post

~Saj~ · ‎01-27-2023

I see options to archive this use case.

1. Apply an ACL to Allow/Deny Traffic on the specified VLANs. ( eg: VLAN 10 allowed to VLAN 20 Deny to VLAN 30)

2. Use Private VLANs. VLAN 10 and 20 to be Community VLANs and VLAN 30 to be Isolated. https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/pvlans.html

Karsten Iwen · ‎01-27-2023

You need ip routing enabled also if you just want "some" communication between the VLANs. The control of the communication is ideally done with ACLs. Either on the switch, or better on a connected firewall that has the IPs configured instead of the switch.

MHM Cisco World · ‎01-27-2023

referring to your previous post, You solve connect between two different subnet host with no ip routing , am I right ?
this was temporally solution, when you add more subnet to SW real issue appear again.
as I mention before, change the L3SW image, and you need to enable ip routing.

Joseph W. Doherty · ‎01-27-2023

"However, I checked that pc1 communicates with 10.0.20.1 or 10.0.30.1, but communication with the client pc(x.x.x.2) is not possible."

This because, I believe, all those .1 IPs are on the L3 switch.

"What I want to do is to configure vlan 10 and vlan20 to communicate with each other and not communicate with vlan 30.
how can i do this?"

As others have already noted, might be done with ACLs.

A possible alternative, if L3 switch supports VRF (including -Lite variant), place 10.0.30.0/24 network interface into a different VRF, re-enable routing.

10.0.10.0/24 and 10.0.20.0/24 should be able to fully intercommunicate, neither with 10.0.30.0/24. Further, you should discover pc1 can no longer communicate with 10.0.30.1.

chaname · ‎02-17-2023

Thanks for the reply.
That was very helpful.