[c-nsp] Restricted specific VLAN contacting other VLANs in catalyst 3750 switch

trgapp16 trgapp16 at cdot.in
Tue Sep 27 00:18:18 EDT 2022


Thanks Garrett.

Correct, PVLAN works if the interface connecting to internet is a layer 2 interface which can be configured as promiscuous port.

What if the interface connecting to internet router is a layer 3 port having IP address.

Thanks,

Mounika M

On Mon, 26 Sep 2022 19:33:36 -0700, Garrett via cisco-nsp wrote

> isn't this what pvlans are for? 
> 
> On Mon, Sep 26, 2022, at 19:23, trgapp16 via cisco-nsp wrote: 
> > Hello, 
> > 
> > We use Cisco Catalyst 3750 switch as  small data center (DC)/Core 
> > Switch on which nearly 
> > 200 VLANs sit, having internet connectivity through a ADSL modem/router. 
> > 
> > SVI/RVIs are defined for all these 200 VLANs on the same DC/Core Switch. 
> > 
> > We have the following requirement: 
> > 
> > VLAN 1 - 190: should communicate among themselves and to internet 
> > 
> > VLAN 191: having network address 192.168.1.0/28 should not communicate 
> > with any other 
> > VLAN except internet 
> > 
> > To meet this requirement we used the following VACL configuration 
> > 
> > SW(config)#access-list 100  permit ip 192.168.1.0 0.0.0.15 any 
> > 
> > SW(config)#vlan access-group XYZ 10 
> > 
> > SW(config-access-map)#match ip address 100 
> > 
> > SW(config-access-map)#action drop 
> > 
> > SW(config-access-map)#vlan access-group XYZ 20 
> > 
> > SW(config)#vlan filter XYZ vlan-list 1-190 
> > 
> > By doing this VLAN 1-190 are not able to contact vlan 191, but to internet and 
> > among themselves(vlan 1-190). 
> > 
> > Hosts in VLAN 191 are not able to contact the hosts in 1-190 VLANs(this 
> > is 
> > also fine), but hosts in VLAN 191 are contacting the SVI/Gateways of 
> > 1-190 VLANs. 
> > 
> > Is there anything wrong in my VACLs configuration or sequence of ACLs. 
> > 
> > Any help is greatly appreciated. 
> > 
> > Thanks in advance 
> > 
> > Mounika M 
> > 
> > ### Please consider the environment and print this email only if 
> > necessary . Go Green 
> > ### 
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
> > Disclaimer : 
> > This email and any files transmitted with it are confidential and 
> > intended 
> > solely for the use of the individual or entity to whom they are 
> > addressed. 
> > If you are not the intended recipient you are notified that disclosing, 
> > copying, distributing or taking any action in reliance on the contents 
> > of this 
> > information is strictly prohibited. The sender does not accept 
> > liability 
> > for any errors or omissions in the contents of this message, which 
> > arise as a 
> > result. 
> > 
> > -- 
> > Open WebMail Project (http://openwebmail.org) 
> > 
> > 
> > _______________________________________________ 
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp 
> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> _______________________________________________ 
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/

### Please consider the environment and print this email only if necessary . Go Green ### 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
Disclaimer : 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you are not the intended recipient you are notified that disclosing, 
copying, distributing or taking any action in reliance on the contents of this 
information is strictly prohibited. The sender does not accept liability 
for any errors or omissions in the contents of this message, which arise as a 
result.

-- 
Open WebMail Project (http://openwebmail.org)

 


More information about the cisco-nsp mailing list