Hi Reza and thanks for responding. on the Daisy Chaning, that is how they wanted it to be (the client).

as is, traffic jumping happens and rightlyy so, I can check into the licensing issue because i ma not sure what type of license they have.

now, if I couldn't do VRF, what other option(s) is available to me to accomplish this traffc isolation? I tried allowed VLAn on teh trunk but didn;t work becuase subnets are directly connected on the VSS pair.

L2 VLAn on teh VSS pair without SVI interface is what I can think of but I was wondering if this is a good way of tackling the issue and if there are other options available!?

Regards,

Masood

Hi Masood,

I only see one vlan in your diagrm (vlan 66) on both the south side and north side. Can you clarify the second vlan and where it is located?

HTH

Reza

By two vlan, I mean a vlan on a parallel LAN which connects to the same VSS pair in teh same fashion as the one in the diagram.

a VLAN 2 for LAN 1 (large LAN)

a VLAN 66 which is the LAn in the Diagram.

in fact the VSS pair is for the Large LAN but they want to have the LAN in the diagram to pass through or to connect through the VSS pair to the WAN router.

I am not sure if this makes sense or even gives a clear picture?

Thanks,

Masood

Ok, so vlan 2 is going to have an SVI on the vss right?

and they want vlan 66 to pass through the 6500 as later-2 and the SVI is located on WAN-sw-1 and 2?

So, why not have an SVI for vlan 66 on the vss just like vlan 2 and have a routed link between the vss and WAN-sw-1 and 2?

If they don't want these vlan to see each other on the 6500, you can use the global routing table for vlan 2 and create a vrf for vlan 66.  This way the route tables are separate.

HTH

Dear Reza,

your questions:

and they want vlan 66 to pass through the 6500 as later-2 and the SVI is located on WAN-sw-1 and 2? ======>Yes, must pass through as L2 but SVI i.e. VLAN 66 is on the VSS pair. I don;t have access to those two WAN switches. I have configure VLAn access port between VSS pair and WAn switches.

So, why not have an SVI for vlan 66 on the vss just like vlan 2 and have a routed link between the vss and WAN-sw-1 and 2? - ======>SVI, VLAn 66 is on teh VSS pair and VLAN 66 access member on a copper port to the WAn swithces. So, I assume they have the same VLAN 66 on those two switches to accomodate the VLAN access connection.

Now, becasue both SVIs i.e VLAN2 (VLAN 2 SVI must be on the VSS pair and it is) and VLAN 66 are residing on the VSS pair and because of that, we haev VLAN tarffic jumping over to the other VLAN 2 and Vice Versa.

Now, I want to have VLAN 66 traffic to just pass through the VSS pair and not rouch VLAN 2's traffic.

Hope this clears the whole scenario!?

Regatds,

Masood

I am not sure why are being forced to setup like this. Ideally, you should terminate your vlans on the switch receiving L2 traffic for a vlan and is connected to Wan router (your wan switches in this case). You should have two SVIs for two vlans on wan switches and if you don't like them to communicate with each other and don't like to use VRF then you may try ACL on SVIs.

Hi and thanks for responding. Yes, they wanted the daisy chaning of those two stacks. the VSS pair was ment for a single but large LAN which had been accomplished. later, the clinetasked to route the second LAN (in the diagram) to pass through the VSS pair to the two WAN switches. the same VLAN 66 is on those WAN switches too but they are not my devices adn I have no control.

So, I don't think lincense to use VRF is available and when you response arrived I was looking to see how best I can use VLAN ACL to stop traffic jumping over between VLAN 2 and VLAN 66 on the VSS pair.

I am not sure how best I can create the VLAN ACL and if you can advise on how to configure that on the VSS pair that will certainly fixes teh issue and my objectives will me met.

I was wondering if you can help me with a configuration example to accomlish the VLAN ACL please?

Regards,

Masood

Hi,

I have acheived what i wanted using VFR but there seems to be one problem or may be not - I am not sure.

from the stacks, I can ping all the way to core the vlan int for that particulr subnet and noe of the other subnets are pingable which is what I wanted.

but, while in the core, I cannot ping that VLAN int although up/up and cannot ping any IPs down stream? Ping cannot be one way?

do I need to be on that VRF prompt/environmnet to be able to ping downstream? if yes, how I can get that prompt? / environm,net? please?

Masood

Just adjust your routing within the VRF if any thing breaks.

I guess instead of VACL you may try IP ACL. I would prefer VRF lite if possible.

ip access-list extended 4Vlan2
remark "blocking from vlan2 to vlan66"
deny ip any 10.10.1.0 0.0.0.15
permit ip any any

IP access-list extended 4Vlan66
remark "blocking from vlan66 to vlan2"
deny ip any
permit ip any any

interface vlan2

ip access-group 4Vlan2 in

interface vlan66

ip access-group 4Vlan66 in

Thanks,

I used vrf and it worked as I wanted it to work. I followed one of Cisco's white papers and did vrf on the VSS pair and vlan access on teh links connecting stack to the core and it did isolate traffic successfully.

Regards,

Masood

Dear Reza,

Thanks.

I used vrf and it worked as I wanted it to work. I  followed one of Cisco's white papers and did vrf on the VSS pair and  vlan access on teh links connecting stack to the core and it did isolate  traffic successfully.

Regards,

Masood