Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
0
Helpful
9
Replies

Isolating VLANs over two sites

upen desai
Level 1
Level 1

‎11-12-2015 07:41 AM - edited ‎03-08-2019 02:40 AM

Hello 

I hope you can help me with VLAN config on a cisco 3750 switches.

We have two office connected with a BT LES link (point to point). With 3750 switches in both offices, and two HyperV servers, one in each office.

Both HyperV servers have an isolated networks and I am trying to figure out how to connect these two isolated network by implementing Private VLANs on the 3750.

Both HyperV servers are currently sitting on a Server vlan which is a production VLAN with all our servers. 

Please let me know if you want me to explain things further.

many thanks

Upen Desai

Labels:
0 Helpful
9 Replies 9

Mark Malone
VIP Alumni
VIP Alumni

‎11-12-2015 07:52 AM

You could set the ports which belong to each Hyper V in a community vlan on both sides so only they can talk to each other but no one else , thats just off my head becasue if you set them as isolated they still wont be able to speak to each other

0 Helpful

upen desai
Level 1
Level 1
In response to Mark Malone

‎11-12-2015 08:28 AM

hello Mark

Thank you for coming back to be so quickly.

so if i try to create a community VLAN in Site A and the same vlan in Site B. This sould allow the two HyperV servers to connect but still remaining isolated from the production network.

many thanks

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to upen desai

‎11-12-2015 08:32 AM

Yes exactly that should work in theory as same community vlans in same layer 2 domain can speak to each other  but no one else other than there promiscous port so they can break out

This will completly isoolate them from other servers/users etc once there not part of your  community vlan

0 Helpful

upen desai
Level 1
Level 1
In response to Mark Malone

‎11-13-2015 07:51 AM

hello Mark

Just been reading up on this setup, one of the prequsites is to set the switch to VTP Transparent mode.

Our core switch in both sites is running VTP in Server mode. So probably not a good idea to change it in production.

Can i get additional switches set them to transparent mode and then connect those to the Core switches would that work.

many thanks

0 Helpful

paul driver
VIP
VIP
In response to upen desai

‎11-14-2015 03:06 AM

Hello

Pvlans are a good option but as you have read you need to have the switches in transparent and also bind the L3 of the primary vlan with the community  vlans so they can speak to each other over l3

Another option could be assuming these vlans have l3 Svis Is use svi acl to negate access 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to upen desai

‎11-14-2015 06:47 AM

Hello,

You still need to configure Private VLAN on both 3750s if you use a seperate switch.

The link between two 3750s is trunk? Why you do not dedicate a seperate VLAN to your Hyper-V servers and permit that VLAN over your Trunk link? Communication of Hyper-V with other hyper-V will be through L2 and with other servers and outside will be l3 and can be controlled by configuration of access-list on corresponding SVI.

Masoud

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to upen desai

‎11-14-2015 07:02 AM

Vlan access list can be another option to isolate those hyper-V whitin a VLAN.

Masoud

0 Helpful

paul driver
VIP
VIP
In response to Masoud Pourshabanian

‎11-14-2015 11:59 AM

Hello

Vacls good option  but  are ONLY between same vlan between differant vlans Racls or Pvlans can be utilised

My preferance would be to use racls

Edited - Forgot to add a couple of examples

VACL( within vlan)

access-list 101 permit  host 11.1.1.1 host 11.1.1.2
access-list 101 permit  host 11.1.1.2 host 11.1.1.1


vlan acess-map VACL-V11 10
match ip address 101
action forward

vlan access-map VACL-V11 99
action drop

vlan filter-list VACL-V11 vlan-list 11


RACL on SVI  (this can be ammeded to suit you traffic requirements ( MC, routing protocols etc..)
in = from withn vlan
out - outside going into vlan

vlan 10= 10.1.1.0/24
vlan 11= 11.1.1.0/24

ip access-list extended Stan
permit ip 10.1.1.0 0.0.0.255 11.1.1.0 0.0.0.255
permit icmp 10.1.1.0 0.0.0.255 11.1.1.0 0.0.0.255


In vlan 10
Ip access-group Stan  in

In vlan 11
Ip access-group Stan out

res
paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to paul driver

‎11-14-2015 11:59 AM

Currently Hyper-Vs are located in Server vlan with some other servers.

I am just repeating my previous sentence.

Vlan access list can be another option to isolate those hyper-V whitin a VLAN.

Otherwise, its name was intra-Vacl.

res

Masoud

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card