Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1081
Views
0
Helpful
6
Replies

Private VLANs in an inter-VLAN routing environment with no switchport interface connected to the router

Jack K
Level 1
Level 1

‎07-05-2021 06:24 AM - edited ‎07-05-2021 06:26 AM

Hello everyone

 

I have an interesting puzzle for you to resolve. There is an idea to create an internal DMZ for servers with private VLANs in an inter-VLAN routing environment. The Cisco L3 switch on which it will would be configured is connected with the router through no switchport with an IP address.

 

The questions are:

1. Is it possible to reach a specific server in a private-vlan from a whole normal users vlan (that is not private) instead of setting just particular ports as promiscuous?

2. If the port to the router is no switchport, but it just has a physical IP address, is it possible that servers in the private vlans can reach it, since I cannot configure switchport commands?

3. Can I use a primary vlan of some secondary private vlans as a normal vlan for other purposes?

 

I uploaded a small concept of the network idea in the attachment. Any help would be appreciated

 

Best regards,

Sam

Labels:
Preview file
74 KB
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎07-05-2021 06:27 AM

If the device support, why not use ACL for this requirement, so you can only allow or deny what required to access.

 

is this works for you ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Jack K
Level 1
Level 1
In response to balaji.bandi

‎07-05-2021 07:44 AM

@balaji.bandi

 

Thanks for quick response, however it doesn't work for me. I know how to use ACLs on vlans. I just have questions and I want to get answers to them. No need for other solutions

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-06-2021 04:34 AM

Hello @Jack K ,

 

1) one promiscous mode port associated to primary VLAN is needed at least the SVI of primary VLAN should be treated this way. Private VLANs are a Layer 2 concept from other VLANs the hosts are reached via inter VLAN routing and via the SVI associated to the primary VLAN.

2) Again the private VLAN is an OSI layer 2 concept that limits what ports can communicate at Layer 2. Via the promiscous ports other subnets can be reached including a router out of a routed interface.

3) Not recommended I would not do it

 

Hope to help

Giuseppe

 

0 Helpful

Jack K
Level 1
Level 1
In response to Giuseppe Larosa

‎07-07-2021 07:20 AM

@Giuseppe Larosa, thank you for your detailed information. It seems to be true what you wrote. I'll check it on Friday and see how it works. Regarding the 3rd question, I just was curious if it's possible, but not intended to do it ;D

0 Helpful

Elliot Dierksen
VIP
VIP

‎07-06-2021 06:22 AM - edited ‎07-06-2021 06:23 AM

I agree with @Giuseppe Larosa on this. I don't think trying to use private VLAN across multiple devices like this is the right solution. I also don't think it will work the way you intend because of having to making multiple uplinks into promiscuous ports.

0 Helpful

Jack K
Level 1
Level 1
In response to Elliot Dierksen

‎07-07-2021 07:22 AM

@Elliot DierksenThanks for your concerns, however regarding the 3rd question, I just was curious if it's possible, but not intended to do it ;D

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card