Solved: isolate single VLAN on L3 switch

robertlbarnett1 · ‎04-22-2016

Would like to start with a thank for any help that can be provided. I am looking for some guidance for proper configuration. FYI this is a home lab and not production environment so no concerns for users being impacted.

Overview:

I have a 3750 with IP routing enabled. I have 5 vlans and currently all 5 VLANs are passing traffic across the routing interface. I want 4 of the 5 vlans to continue using the routing interface and routing between these 4 vlans is ok for now. I understand that I will need ACL to limit these 4 vlans from talking to each other.

The 5^th VLAN I would like to isolate from all other VLANs as well as the IP routing interface. This 5^th VLAN needs to be a simple L2 network and will have a upstream device connected to the 5^th VLAN. This upstream device will be the default route for the nodes on this 5^th VLAN.

Example of goal:

Interface VLAN 1 – 10.1.0.1/24 (10.1.0.1 Default GW for VLAN 1 devices)

Interface VLAN 2 – 10.2.0.1/24 (10.2.0.1 Default GW for VLAN 2 devices)

Interface VLAN 3 – 10.3.0.1/24 (10.3.0.1 Default GW for VLAN 3 devices)

Interface VLAN 4 - 10.4.0.1/24 (10.4.0.1 Default GW for VLAN 4 devices)

Interface VLAN 5 – 10.5.0.1/24 (10.5.0.254 Default GW for VLAN 5 devices)

IP routing interface 192.168.0.2 /24

IP route 0.0.0.0 0.0.0.0 192.168.0.1

VLAN 1-4 continue using routing interface and can talk to each other

VLAN 5 cannot talk to other VLANs and cannot use routing interface

VLAN 5 will have load balancer attached and LB LAN 10.5.0.254 and VIPs on 192.168.0.0/24

VLAN 5 devices will have 10.5.0.254 as default GW

Load balancer has static routes to send traffic for VLAN 1-4 to 192.168.0.2

If VLAN 1-4 needs to talk to VLAN 5 servers then it will use a 192.168.0.1 address going out the IP routed interface, hit a firewall and be sent to the load balancer vip address. Load balancer will then follow its ruleset and push traffic to the corresponding 10.5.0.0 address.

Thoughts:

Should I just remove the Interface VLAN 5 so it does not have a IP address on the switch, will this break all inter vlan routing for VLAN 5 and isolate VLAN 5?

Should I do this all through ALCs?

Does private VLAN need to be used, just saw something about it and not up to speed on this feature?

Any other thoughts?

Thanks in advance for any help.

acampbell · ‎04-22-2016

Hi Robert,

In my opinion I would keep it simple and do what you said in the 1st instance.

!

no interface vlan 5

!

That makes vlan 5 layer 2 only as far as this L3-switch is concerned, prevents any Ip address for

10.5.0.X/24 being in your routing table etc hence forcing your other vlan 1-4 kit to use the default route.

Regards

Alex

Regards, Alex. Please rate useful posts.

View solution in original post

Ben Gartland · ‎04-22-2016

If you remove the IP address on the L3 switch, there will be no way for the traffic to be routed between the VLANs. IP traffic will be isolated and remain within the VLAN.

Regards

Ben

robertlbarnett1 · ‎04-22-2016

Thank you, I thought of that after heading to bed last night and did not get a chance to apply that to see if it would work. I wanted to get feed back from more experienced users. Thanks.

acampbell · ‎04-22-2016

Hi Robert,

In my opinion I would keep it simple and do what you said in the 1st instance.

!

no interface vlan 5

!

That makes vlan 5 layer 2 only as far as this L3-switch is concerned, prevents any Ip address for

10.5.0.X/24 being in your routing table etc hence forcing your other vlan 1-4 kit to use the default route.

Regards

Alex

Regards, Alex. Please rate useful posts.

robertlbarnett1 · ‎04-22-2016

Thank you for the feed back, Ben and your feed back makes sense. I had thought about it after I finished for the night and thought removing VLAN 5 would be correct but wanted to get feed back and make sure I was correct and there was not a better way to do it.

isolate single VLAN on L3 switch

Would like to start with a thank for any help that can be provided. I am looking for some guidance for proper configuration. FYI this is a home lab and not production environment so no concerns for users being impacted.

Overview:

The 5th VLAN I would like to isolate from all other VLANs as well as the IP routing interface. This 5th VLAN needs to be a simple L2 network and will have a upstream device connected to the 5th VLAN. This upstream device will be the default route for the nodes on this 5th VLAN.

Example of goal:

Interface VLAN 1 – 10.1.0.1/24 (10.1.0.1 Default GW for VLAN 1 devices)

Interface VLAN 2 – 10.2.0.1/24 (10.2.0.1 Default GW for VLAN 2 devices)

Interface VLAN 3 – 10.3.0.1/24 (10.3.0.1 Default GW for VLAN 3 devices)

Interface VLAN 4 - 10.4.0.1/24 (10.4.0.1 Default GW for VLAN 4 devices)

Interface VLAN 5 – 10.5.0.1/24 (10.5.0.254 Default GW for VLAN 5 devices)

IP routing interface 192.168.0.2 /24

IP route 0.0.0.0 0.0.0.0 192.168.0.1

VLAN 1-4 continue using routing interface and can talk to each other

VLAN 5 cannot talk to other VLANs and cannot use routing interface

VLAN 5 will have load balancer attached and LB LAN 10.5.0.254 and VIPs on 192.168.0.0/24

VLAN 5 devices will have 10.5.0.254 as default GW

Load balancer has static routes to send traffic for VLAN 1-4 to 192.168.0.2

If VLAN 1-4 needs to talk to VLAN 5 servers then it will use a 192.168.0.1 address going out the IP routed interface, hit a firewall and be sent to the load balancer vip address. Load balancer will then follow its ruleset and push traffic to the corresponding 10.5.0.0 address.

Thoughts:

Should I just remove the Interface VLAN 5 so it does not have a IP address on the switch, will this break all inter vlan routing for VLAN 5 and isolate VLAN 5?

Should I do this all through ALCs?

Does private VLAN need to be used, just saw something about it and not up to speed on this feature?

Any other thoughts?

Thanks in advance for any help.

The 5^th VLAN I would like to isolate from all other VLANs as well as the IP routing interface. This 5^th VLAN needs to be a simple L2 network and will have a upstream device connected to the 5^th VLAN. This upstream device will be the default route for the nodes on this 5^th VLAN.