Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2112
Views
0
Helpful
12
Replies

Private Vlans

Go to solution
ziad sousa
Community Member

‎09-14-2016 07:39 AM - edited ‎03-08-2019 07:25 AM

Can 2 isolated vlans in same subnet communicate on layer 3 ? If they are both associated to same SVI 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ziad sousa

‎09-14-2016 09:28 AM

Ok. you can do several things to achieve that (proxy arp, nat,..) but best way to accomplish is using community port. 

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful

Go to solution
Georg Pauwen
VIP Alumni
VIP Alumni
In response to ziad sousa

‎09-14-2016 11:15 AM

Ziad,

if you want to isolate the TACACS server while still being in the same VLAN, why not use port ACLs ? Community ports in a private VLAN, as suggested, are definitely an idea, but by themselves they would not let you shield the TACACS server. Port ACLs would let you define exactly which traffic you allow in or out.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
devils_advocate
Level 11
Level 11

‎09-14-2016 07:49 AM

How can you have a single SVI for two Vlans?

0 Helpful

Go to solution
ziad sousa
Community Member
In response to devils_advocate

‎09-14-2016 08:20 AM

By associating the secondary vlans to the SVI of the primary vlan

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-14-2016 07:56 AM

Hi

When you use Private VLAN, all isolated ports are not able to communicate with other isolated port.

You can use community port to allow only few hosts to communicate together.

I-Port P-Port C1-Port
I-Port Deny Permit Deny
P-Port Permit Permit Permit
C1-Port Deny Permit Permit
C2-Port Deny Permit Deny

source: https://en.wikipedia.org/wiki/Private_VLAN

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ziad sousa
Community Member
In response to Francesco Molino

‎09-14-2016 08:21 AM

Yes i understand but can we use routing or the promiscuous port to pass information between secondary vlans?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ziad sousa

‎09-14-2016 08:25 AM

Honestly, never done in production that but you can maybe use some proxy arp...

But again if these 2 hosts need to talk together then why not using community port?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ziad sousa
Community Member
In response to Francesco Molino

‎09-14-2016 08:52 AM

True you are right , it was a bizarre scenario i encountred that we have a TACACS server on isolated vlan and another server which need credentials and they both have to be on the same subnet that's why i was asking if its possible

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ziad sousa

‎09-14-2016 09:28 AM

Ok. you can do several things to achieve that (proxy arp, nat,..) but best way to accomplish is using community port. 

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ziad sousa
Community Member
In response to Francesco Molino

‎09-14-2016 11:38 AM

Yes i think community vlan and pacl will be the best solution thank you guys really appreciate it

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ziad sousa

‎09-14-2016 11:45 AM

You're welcome. Yes community will limit the acl lines you need to do to filter what's denied.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Georg Pauwen
VIP Alumni
VIP Alumni
In response to ziad sousa

‎09-14-2016 11:15 AM

Ziad,

if you want to isolate the TACACS server while still being in the same VLAN, why not use port ACLs ? Community ports in a private VLAN, as suggested, are definitely an idea, but by themselves they would not let you shield the TACACS server. Port ACLs would let you define exactly which traffic you allow in or out.

0 Helpful

Go to solution
ziad sousa
Community Member
In response to Georg Pauwen

‎09-14-2016 11:36 AM

Seems like a soln .. thank you very much for your help really appreciate it

0 Helpful

Go to solution
Georg Pauwen
VIP Alumni
VIP Alumni

‎09-14-2016 08:25 AM

Ziad,

not sure if I correctly understand your question. For layer 3 connectivity, you need to map the primary Vlan SVI to the private Vlans. As in the example below, where Vlan 100 is your primary Vlan, and 101 and 102 are your private Vlans:

interface Vlan 100

description Primary Vlan

private-vlan mapping add 101, 102

HTH

0 Helpful
Customers Also Viewed These Support Documents