10-02-2012 01:32 PM - edited 03-07-2019 09:14 AM
hello,
I have a pair of Core VSS 6509E SUP 2T. Two different LANs, two diff. Subnets. larger LAN has been connected to the VSS pair usng normal SVI and Post-Channles (has lots of closets 3750 stacks) and no problem.
Second LAN, two closets, stacked and connected to each other via Port channel and trunk + SVI interfaces. Now, I have SVI interfaces for both LANs on teh VSS pair and that is causing traffic from one LAN to jump over to the other VLAN and rightly so because the VSS pair see both subnets as directly connected subnets.
I was wondring if I delete the SVI for the second LAN and only keep the L2 VLAN this will be resolved>
The reason for the second LAN to connect to the VSs pair is only that It has to go through the VSS pair to get to the WAN router (both LANs will go out through this Same WAN router) but WAN router is not my concern at this time.
I need to isolate these two LANs/subnets traffic so no one VLAM traffic jumps over the other.
I have also thought about VRF but at this point I am not sure if teh 3750 stacks supports VRF and if it does how to implement VRF on the second and samller LAN to just allow it go through the VSS pair in order to get to the WAn router.
1ST LAN ALTHOUGH MUST LARGER BUT CONNECTED IN THE SAME FASHION AS THE VISIO DIAGRAM SHOWS.
Regards,
Masood
10-02-2012 02:53 PM
Hi
I am not sure why you are daisy chaining the 3570s together. The switches on the 6th floor south should connected to the vss pair directly via a portchannel with SVI on the vss. Also, the switches on the 6th floor N-MDF should directly connected to the vss via a portchannel with SVI on the vss. If you don't want these vlans to see each other, than you can run VRF Lite on the 3750 and the 6500. You need IP services incense for the 3750s to the VRF.
HTH
10-02-2012 03:40 PM
Hi Reza and thanks for responding. on the Daisy Chaning, that is how they wanted it to be (the client).
as is, traffic jumping happens and rightlyy so, I can check into the licensing issue because i ma not sure what type of license they have.
now, if I couldn't do VRF, what other option(s) is available to me to accomplish this traffc isolation? I tried allowed VLAn on teh trunk but didn;t work becuase subnets are directly connected on the VSS pair.
L2 VLAn on teh VSS pair without SVI interface is what I can think of but I was wondering if this is a good way of tackling the issue and if there are other options available!?
Regards,
Masood
10-02-2012 03:55 PM
Hi Masood,
I only see one vlan in your diagrm (vlan 66) on both the south side and north side. Can you clarify the second vlan and where it is located?
HTH
Reza
10-02-2012 04:08 PM
By two vlan, I mean a vlan on a parallel LAN which connects to the same VSS pair in teh same fashion as the one in the diagram.
a VLAN 2 for LAN 1 (large LAN)
a VLAN 66 which is the LAn in the Diagram.
in fact the VSS pair is for the Large LAN but they want to have the LAN in the diagram to pass through or to connect through the VSS pair to the WAN router.
I am not sure if this makes sense or even gives a clear picture?
Thanks,
Masood
10-02-2012 05:04 PM
Ok, so vlan 2 is going to have an SVI on the vss right?
and they want vlan 66 to pass through the 6500 as later-2 and the SVI is located on WAN-sw-1 and 2?
So, why not have an SVI for vlan 66 on the vss just like vlan 2 and have a routed link between the vss and WAN-sw-1 and 2?
If they don't want these vlan to see each other on the 6500, you can use the global routing table for vlan 2 and create a vrf for vlan 66. This way the route tables are separate.
HTH
10-02-2012 05:33 PM
Dear Reza,
your questions:
and they want vlan 66 to pass through the 6500 as later-2 and the SVI is located on WAN-sw-1 and 2? ======>Yes, must pass through as L2 but SVI i.e. VLAN 66 is on the VSS pair. I don;t have access to those two WAN switches. I have configure VLAn access port between VSS pair and WAn switches.
So, why not have an SVI for vlan 66 on the vss just like vlan 2 and have a routed link between the vss and WAN-sw-1 and 2? - ======>SVI, VLAn 66 is on teh VSS pair and VLAN 66 access member on a copper port to the WAn swithces. So, I assume they have the same VLAN 66 on those two switches to accomodate the VLAN access connection.
Now, becasue both SVIs i.e VLAN2 (VLAN 2 SVI must be on the VSS pair and it is) and VLAN 66 are residing on the VSS pair and because of that, we haev VLAN tarffic jumping over to the other VLAN 2 and Vice Versa.
Now, I want to have VLAN 66 traffic to just pass through the VSS pair and not rouch VLAN 2's traffic.
Hope this clears the whole scenario!?
Regatds,
Masood
10-03-2012 07:21 AM
I am not sure why are being forced to setup like this. Ideally, you should terminate your vlans on the switch receiving L2 traffic for a vlan and is connected to Wan router (your wan switches in this case). You should have two SVIs for two vlans on wan switches and if you don't like them to communicate with each other and don't like to use VRF then you may try ACL on SVIs.
10-03-2012 07:27 AM
Hi and thanks for responding. Yes, they wanted the daisy chaning of those two stacks. the VSS pair was ment for a single but large LAN which had been accomplished. later, the clinetasked to route the second LAN (in the diagram) to pass through the VSS pair to the two WAN switches. the same VLAN 66 is on those WAN switches too but they are not my devices adn I have no control.
So, I don't think lincense to use VRF is available and when you response arrived I was looking to see how best I can use VLAN ACL to stop traffic jumping over between VLAN 2 and VLAN 66 on the VSS pair.
I am not sure how best I can create the VLAN ACL and if you can advise on how to configure that on the VSS pair that will certainly fixes teh issue and my objectives will me met.
I was wondering if you can help me with a configuration example to accomlish the VLAN ACL please?
Regards,
Masood
10-03-2012 09:17 AM
Hi,
I have acheived what i wanted using VFR but there seems to be one problem or may be not - I am not sure.
from the stacks, I can ping all the way to core the vlan int for that particulr subnet and noe of the other subnets are pingable which is what I wanted.
but, while in the core, I cannot ping that VLAN int although up/up and cannot ping any IPs down stream? Ping cannot be one way?
do I need to be on that VRF prompt/environmnet to be able to ping downstream? if yes, how I can get that prompt? / environm,net? please?
Masood
10-03-2012 09:48 AM
Just adjust your routing within the VRF if any thing breaks.
10-03-2012 09:21 AM
I guess instead of VACL you may try IP ACL. I would prefer VRF lite if possible.
ip access-list extended 4Vlan2
remark "blocking from vlan2 to vlan66"
deny ip any 10.10.1.0 0.0.0.15
permit ip any any
IP access-list extended 4Vlan66
remark "blocking from vlan66 to vlan2"
deny ip any
permit ip any any
interface vlan2
ip access-group 4Vlan2 in
interface vlan66
ip access-group 4Vlan66 in
10-03-2012 05:51 PM
Thanks,
I used vrf and it worked as I wanted it to work. I followed one of Cisco's white papers and did vrf on the VSS pair and vlan access on teh links connecting stack to the core and it did isolate traffic successfully.
Regards,
Masood
10-03-2012 05:51 PM
Dear Reza,
Thanks.
I used vrf and it worked as I wanted it to work. I followed one of Cisco's white papers and did vrf on the VSS pair and vlan access on teh links connecting stack to the core and it did isolate traffic successfully.
Regards,
Masood
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide