I have an interesting puzzle for you to resolve. There is an idea to create an internal DMZ for servers with private VLANs in an inter-VLAN routing environment. The Cisco L3 switch on which it will would be configured is connected with the router through no switchport with an IP address.
The questions are:
1. Is it possible to reach a specific server in a private-vlan from a whole normal users vlan (that is not private) instead of setting just particular ports as promiscuous?
2. If the port to the router is no switchport, but it just has a physical IP address, is it possible that servers in the private vlans can reach it, since I cannot configure switchport commands?
3. Can I use a primary vlan of some secondary private vlans as a normal vlan for other purposes?
I uploaded a small concept of the network idea in the attachment. Any help would be appreciated
Thanks for quick response, however it doesn't work for me. I know how to use ACLs on vlans. I just have questions and I want to get answers to them. No need for other solutions
Hello @Jack K ,
1) one promiscous mode port associated to primary VLAN is needed at least the SVI of primary VLAN should be treated this way. Private VLANs are a Layer 2 concept from other VLANs the hosts are reached via inter VLAN routing and via the SVI associated to the primary VLAN.
2) Again the private VLAN is an OSI layer 2 concept that limits what ports can communicate at Layer 2. Via the promiscous ports other subnets can be reached including a router out of a routed interface.
3) Not recommended I would not do it
Hope to help
@Giuseppe Larosa, thank you for your detailed information. It seems to be true what you wrote. I'll check it on Friday and see how it works. Regarding the 3rd question, I just was curious if it's possible, but not intended to do it ;D
I agree with @Giuseppe Larosa on this. I don't think trying to use private VLAN across multiple devices like this is the right solution. I also don't think it will work the way you intend because of having to making multiple uplinks into promiscuous ports.
@Elliot DierksenThanks for your concerns, however regarding the 3rd question, I just was curious if it's possible, but not intended to do it ;D