cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1230
Views
0
Helpful
5
Replies

Traffic separation

raj-toor
Level 1
Level 1

image.png

We currently have SVI's on (AS) access switches. Which allows for small broadcast domain and for easy IP management/identification per floor. But these switches are also either have base/essentials licences only. Since AS1 routes all vlans red and yellow vlan's can communicate freely. We want red separated from all other networks until its traffic reaches upwards to a firewall.

I am thinking of moving the SVI's to DS switch which has the services/advantage license and use VRF-lite there. But for this i will have to change the vlan ID's on AS switches for red/yellow vlans so they can still have their own IP subnet. This i am not sure might derail the future project of dynamic vlan assignment, if its not possible to assign VLAN's by name with 802.1x.

 

If any one can share thoughts on what i am doing is correct or has some better suggestions.

5 Replies 5

Martin Carr
Level 4
Level 4

You need to move the SVI's to the firewall using dot1q and then disable routing on the switch (i.e. no routing) and configure a default gateway.

 

Note it's also possible to configure ACL's on the switch, but this is not ideal, as you don't want your access layer performing routing!

 

You don't need VRF technology for what you are trying to achieve, this is a routing context (i.e. virtual router) analogous to what a VLAN is at layer 3.

 

VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol for propagating VLAN's within a switching domain and is what you would use for what you describe. Be sure you understand this before you deploy, as you can end up overwriting the VLAN database if you do not understand it's operation, re revision numbers!

My advice would be if it's literally three switch's to create manually.

 

Martin

@Martin Carr Thanks for your reply. I made this diagram for the purpose of illustration it not just 3 switches. I think proper question would be does dynamic vlan assignment with 802.1x authentication support assigning vlan by name or does it has to be an ID. I don't have experience with this but this is something that is in our pipeline.

ISE uses the VLAN name or ID to assign a dynamic VLAN.

Thanks @Alex Pfeil 

Would you know if freeradius/NPS supoorts that too?

I don't know if freeradius supports that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco