07-05-2021 06:24 AM - edited 07-05-2021 06:26 AM
Hello everyone
I have an interesting puzzle for you to resolve. There is an idea to create an internal DMZ for servers with private VLANs in an inter-VLAN routing environment. The Cisco L3 switch on which it will would be configured is connected with the router through no switchport with an IP address.
The questions are:
1. Is it possible to reach a specific server in a private-vlan from a whole normal users vlan (that is not private) instead of setting just particular ports as promiscuous?
2. If the port to the router is no switchport, but it just has a physical IP address, is it possible that servers in the private vlans can reach it, since I cannot configure switchport commands?
3. Can I use a primary vlan of some secondary private vlans as a normal vlan for other purposes?
I uploaded a small concept of the network idea in the attachment. Any help would be appreciated
Best regards,
Sam
07-05-2021 06:27 AM
If the device support, why not use ACL for this requirement, so you can only allow or deny what required to access.
is this works for you ?
07-05-2021 07:44 AM
Thanks for quick response, however it doesn't work for me. I know how to use ACLs on vlans. I just have questions and I want to get answers to them. No need for other solutions
07-06-2021 04:34 AM
Hello @Jack K ,
1) one promiscous mode port associated to primary VLAN is needed at least the SVI of primary VLAN should be treated this way. Private VLANs are a Layer 2 concept from other VLANs the hosts are reached via inter VLAN routing and via the SVI associated to the primary VLAN.
2) Again the private VLAN is an OSI layer 2 concept that limits what ports can communicate at Layer 2. Via the promiscous ports other subnets can be reached including a router out of a routed interface.
3) Not recommended I would not do it
Hope to help
Giuseppe
07-07-2021 07:20 AM
@Giuseppe Larosa, thank you for your detailed information. It seems to be true what you wrote. I'll check it on Friday and see how it works. Regarding the 3rd question, I just was curious if it's possible, but not intended to do it ;D
07-06-2021 06:22 AM - edited 07-06-2021 06:23 AM
I agree with @Giuseppe Larosa on this. I don't think trying to use private VLAN across multiple devices like this is the right solution. I also don't think it will work the way you intend because of having to making multiple uplinks into promiscuous ports.
07-07-2021 07:22 AM
@Elliot DierksenThanks for your concerns, however regarding the 3rd question, I just was curious if it's possible, but not intended to do it ;D
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide