Solved: Vlan blocking Cisco L3 Switch (4948 E-F)

Tamas86 · ‎10-08-2022

Hi Everyone!

I would like to enlist your assistance in a question which I have been trying to find an answer to for about 3 days.

There is a SW to be tested. For us to be able to test it, the following test environment has been set up (please see the picture below).

2 pieces of VLAN network:

No. 20, LAN connection of the company
No. 40, LAN connection of the test server

The test server is located at the IP address of 192.168.4.1 (192.168.4.1/24), DHCP runs on it (DHCP range is depicted in the picture). The company router has the IP address 192.168.2.1 (192.168.2.1/23) and it runs DHCP too (DHCP range is depicted in the picture).

The reason why this is of highest necessity is because the SW to be tested gets certain devices to boot through pxe and LAN No.40 is the closest connection of the server.

Switches L2 are configured in such a way that ports ranging from 1-12 are assigned to the company LAN, the rest from 13-24 are assigned to the test LAN. Switches L3 works the same way as L2. The system and the setup itself operate perfectly enabling us to test the SW in this particular environment however we would intend to make some changes.

(Layer 2 switch: cisco 2960

Layer 3 switch: 4948 e-f)

I must decouple VLAN No. 20 from No. 40 in order to block any interoperability between the two resulting in the devices in these different networks won’t see one another (neither ping nor anything else).

Several configurations have already been tried out thus far, neither of them has worked out. I have also created an IP access list but this one did not work either. What can go wrong with the configuration? I upload the default configuration without ACL because it must be faulty and then I delete them.

Can you please give me a hand in finding a solution for how I could separate these two networks from each other?

Your help is truly appreciated and thank you in advance!

L3 switch config:

kozpont2#sh run
Building configuration...

Current configuration : 6257 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname kozpont2
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
ip subnet-zero
no ip routing
!
!
ip dhcp snooping vlan 20,40
ip dhcp snooping
ip vrf mgmtVrf
!
vtp mode off
!
!
!
power redundancy-mode redundant
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20
name hadri
!
vlan 40
name aiken
!
vlan 98
name native vlan
!
ip tftp source-interface FastEthernet1
!
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
ip address 10.0.0.1 255.255.0.0
no ip route-cache
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/46
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/47
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/48
switchport access vlan 40
switchport mode access
!
interface TenGigabitEthernet1/49
switchport access vlan 40
switchport mode access
ip dhcp snooping trust
!
interface TenGigabitEthernet1/50
switchport mode trunk
ip dhcp snooping trust
!
interface TenGigabitEthernet1/51
switchport mode trunk
ip dhcp snooping trust
!
interface TenGigabitEthernet1/52
switchport access vlan 20
switchport mode access
ip dhcp snooping trust
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan20
no ip address
ip helper-address 192.168.2.1
no ip route-cache
!
interface Vlan40
no ip address
ip helper-address 192.168.4.1
no ip route-cache
!
no ip http server
no ip http secure-server

!
no cdp run
!

!
line con 0
stopbits 1
line vty 0 4
login
!
end

kozpont2#

Tamas86 · ‎10-10-2022

We have the solution! The error is on the test server, it does not separate the traffic of the 2 VLANs, so it does not work correctly. The problem is caused by Ubuntu based SW running on the server. This SW has some restrictions, so any changes I make are rolled back by the server, or not applied properly.

I will contact the developer to find the error . The CISCO switch works perfectly as per the configuration which has been tested as well. (VLAN side No. 20 of the test server has been removed from the switch.)

View solution in original post

NetworkDave · ‎10-08-2022

Tamas86,

You want VLAN20 and VLAN40 to be isolated from each other.
Have you tried removing the inter-VLAN routing between the VLANs?

The devices that use PXE, which VLAN(s) are they in?
Which interfaces are connected to the router and server?

----------------------------------------------------------------------------------------------------

Remember to mark helpful posts and mark the correct answer as a solution; It helps other users with similar questions.

Tamas86 · ‎10-09-2022

Hi NetworkDave!

The device using PXE is located in VLAN No. 40.

The closest connection of the test server (192.168.4.1) shown on the picture is connected to the interface "TenGigabitEthernet1/49" on switch L3.

This connection of the test server feeds the devices connecting to VLAN No. 40 with full network access.

This server also has an "outer" connection which is wired into the GigabitEthernet1/1 interface (into VLAN No. 20, meaning it has access to 192.168.2.1)

As far as I know the test program being tested works in such a way that it does not let any traffic through the two LANs. Thus the need for the two interfaces.

The company router is connected to switch L3 through TenGigabitEthernet1/52.

NetworkDave · ‎10-09-2022

Tamas86,

Thanks for providing the requested information. From your first post, It was thought that you wanted to isolate the VLANs. It appears that the VLANs are already isolated.

What is it that you currently need help with?

----------------------------------------------------------------------------------------------------

Remember to mark helpful posts and mark the correct answer as a solution; It helps other users with similar questions.

Tamas86 · ‎10-10-2022

We have the solution! The error is on the test server, it does not separate the traffic of the 2 VLANs, so it does not work correctly. The problem is caused by Ubuntu based SW running on the server. This SW has some restrictions, so any changes I make are rolled back by the server, or not applied properly.

I will contact the developer to find the error . The CISCO switch works perfectly as per the configuration which has been tested as well. (VLAN side No. 20 of the test server has been removed from the switch.)

Joseph W. Doherty · ‎10-08-2022

Hmm, I don't see how anything gets passed between VLANs 20 and 40 now. You L3 switch doesn't have IPs on its SVIs and you only note one (?) IP on the "company router".

BTW, it appears your L3 switch support VRFs. If so, you could also create a test VFR and place VLAN 40 in it.

Tamas86 · ‎10-09-2022

Hi Joseph W. Doherty!

Unfortunately, I don't have much experience in configuring cisco devices, but so far I've managed to get everything working. I have tried to do this with the minimum configuration I can think of. Looking through several documentation this seemed to work. I will try the VRF you suggested. Could you perhaps show me an example of how to set this up?

Joseph W. Doherty · ‎10-09-2022

Ah. actually you already have an example in the config you posted, i.e.:

ip vrf mgmtVrf
.
.
interface FastEthernet1
ip vrf forwarding mgmtVrf

You define a VRF and than you place interfaces in it.

Tamas86 · ‎10-10-2022

You're right, I missed it

MHM Cisco World · ‎10-09-2022

I know I am late but better late than never,
can you elaborate please?

Tamas86 · ‎10-10-2022

Hi MHM Cisco World!

Isolating VLAN No. 20 and No. 40 from each other did not work. Although the L3 switch configuration seemed to be correct. I managed to find the error. The test server is causing the problem, the CISCO switch is working properly

Tamas86 · ‎10-10-2022

Thanks for everithing taking the time to look into the problem and trying to help!