Isolate Vlan Traffic on the same switch

abarb002 · ‎10-31-2019

Okay, was posed with the need to Isolate multicast traffic to prevent hosts from communicating with each other. Yes they will be on different vlans and on the same switch, but the end devices will need to still communicate within the same network. The training program that we are using will be used at the exact same time on different devices and vlans. The problem with doing this, these programs will intercept each other's messages and that needs to be prevented. The two Vlans will be connected to a layer 2 switch, routed through a layer 3 switch. I explained this the best that I can. I operate on a closed network and therefore there is no need to communicate with others outside of this network. Just inside the network, but no with each other. Also, these are VMs running inside of windows machines. I just need to vlans to ignore each other's traffic.

Thanks

balaji.bandi · ‎10-31-2019

how about implementing VACL ?

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abarb002 · ‎10-31-2019

Yes, this may work. I can block the multicast address from the the other
vlan but allow all other traffic. Can't test this until next month, but I
will let you know if this works.

balaji.bandi · ‎11-01-2019

Understand strome control block the whole thing, and your goal will be achieved with that.

Another way if you have 2 different multicast group each site, you can also have ACL to filter those multicast IP to deny from other VLAN

So each VLAN still can run their own training program, others can not join.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abarb002 · ‎11-01-2019

Thanks, I will try the ACL route. Appreciate the assistance, this is my
first networking job so I’m under a lot of pressure.

Georg Pauwen · ‎10-31-2019

Hello,

not sure I fully understand what you are trying to achieve, but if you configure:

storm-control multicast level 0.0

on a switchport, all multicast traffic on that port will be suppressed...

abarb002 · ‎10-31-2019

I'm not trying to prevent it, i'm just trying to prevent two separate vlans
from seeing each others traffic. I'm running the exact training program on
the same switch but on different vlans, but they will see each other's
traffic and what each other is doing. I'm just trying to do something at
the request of my supervisor. I'm not really sure what to do or what is
being done, I've just been tasked with doing something that i'm no sure can
be done.

abarb002 · ‎11-06-2019

Trying to prevent multicast traffic for one vlan from receiving multicast traffic on another vlan.

Have you ever used this storm control command before? Will it put my ports into err-disabled?

Joseph W. Doherty · ‎11-01-2019

VLANs by default isolate all traffic from each other (i.e. this includes multicast).

If you're routing between VLANs, by default, multicast is not routed (you need to enable multicast routing).

Could you further clarify your requirement?

abarb002 · ‎11-01-2019

Didn’t address the issue today, had other network problems to work on. Will let you know next week. Thanks for responding.

abarb002 · ‎11-06-2019

Sorry for the late reply. Multicast routing is enabled within our network. We only want multicast traffic to circulate within one vlan, without removing this vlan or the switch from the network. I hope that explains what I am trying to do. I have several options to test during our predeployment phase so I will let everyone know how things go.