Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1487
Views
5
Helpful
5
Replies

L3 Switch Vlan complete isolation

Go to solution
QUARK TARO
Level 1
Level 1

‎10-26-2017 01:47 PM - edited ‎03-08-2019 12:30 PM

I have a L3 switch used with three vlans. I need to ensure that traffic from each valn including broadcast, multicast should not cross each other. My objective is all three vlans should be 100% isolated. Traffic from one vlan should never enter another vlan. How do I ensure this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to QUARK TARO

‎10-27-2017 02:04 AM

Hello

not from the negated vlans but within each vlan yes there is - but you can minimise this through storm control 

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
5 Replies 5

Go to solution
paul driver
VIP
VIP

‎10-26-2017 02:02 PM

Hello

You can use PVLANS but RACL's would be applicable here also.

 

ip access-list extended no-vlan20-30
deny ip any 20.20.20.0 0.0.0.255
deny ip any 30.20.20.0 0.0.0.255

permit ip any any

int vlan 10
ip access-group no-vlan20-30 IN


ip access-list extended no-vlan10-30
deny ip any 10.10.10.0 0.0.0.255
deny ip any 30.20.20.0 0.0.0.255

permit ip any any

int vlan 20
ip access-group no-vlan10-30 IN

 

 

ip access-list extended no-vlan10-20
deny ip any 10.10.10.0 0.0.0.255
deny ip any 20.20.20.0 0.0.0.255

permit ip any any

int vlan 30
ip access-group no-vlan10-20 IN

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
QUARK TARO
Level 1
Level 1
In response to paul driver

‎10-26-2017 10:42 PM

I have a question in mind, if I do not define any IP interface on vlan, is there any possibility of any type of traffic (broadcast, multicast) reaching from one vlan to another vlan?

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to QUARK TARO

‎10-27-2017 02:04 AM

Hello

not from the negated vlans but within each vlan yes there is - but you can minimise this through storm control 

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
QUARK TARO
Level 1
Level 1
In response to paul driver

‎10-27-2017 09:46 AM

Can I define acl in the following way?
ip access-list extended no-vlan20-30
permit ip 30.20.20.0 0.0.0.255 any
deny ip any any

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to QUARK TARO

‎10-27-2017 09:57 AM

Hello

you cn but that will negate all communication to everything outside that vlan even other vlans  and wan traffic 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card