We help IT Professionals succeed at work.

How do I create a separate network segment using a L3 Switch

TickSoft
TickSoft asked
on
1,907 Views
Last Modified: 2010-04-21
Hello Experts,

So Ideally I need to separate my network into two segments and they cannot see each other.  I thought I could do this with VLANs.  
VLAN1 I want to keep as VLAN1 - many servers and computers are here and dont want to have to reconfigure them to another VLAN.
VLAN10 I want for personal computers only
VLAN20 Spare hopefully not relevant

Is there a way to block a group of specified ports from seeing each other but can still access the internet?


I have a Cisco PIX 515e -
Interface 1 Internal = 10.230.78.1
VLAN10 = 172.16.1.1
VLAN20 = 192.168.0.1
Interface 2 Outside = 192.168.1.1
I have one Dell PowerConnect 6248 -
My Config is very short as I've tried several different methods and failed at all.
---------------------------------------------------------------------------
!Current Configuration:
!System Description "Dell 48 Port Gigabit Ethernet, 2.1.0.13, VxWorks5.5.1"
!System Software Version 2.1.0.13
!
configure
vlan database
vlan  10,20
exit
stack
member 1 2
exit
ip address 10.230.78.5 255.255.255.0
ip default-gateway 10.230.78.1
ip routing
interface vlan 10
routing
ip address  172.16.1.0  255.255.255.0
exit
interface vlan 20
routing
ip address  192.168.0.0  255.255.255.0
exit
no spanning-tree
!
interface ethernet 1/g1
description 'PIX'
exit
!
interface ethernet 1/g11
description 'Laptop'
exit
!
interface ethernet 1/g13
description 'Server'
exit
exit
---------------------------------------------------------------------------


If there is any other information that I can provide please let me know...  This is sort of a crash course learning all this.
Comment
Watch Question

you would need to do this on the switch level. what type of switch are you using?

Author

Commented:
Its a Dell Switch - 6248 PowerConnect.

I'm having a difficult time finding the right configuration to do this at the Switch.  Has anyone had experience with this type of switch configuration?
what you need is calles "private vlans"

i´m not fimilar with it @ dell only with cisco devices

---->

Private VLAN implements three modes:
À™ Isolated  Ports configured as Isolated can communicate only with a
Promiscuous port
À™ Community  Ports configured as Community can communicate with
other ports in the same community and Promiscuous ports
À™ Promiscuous  Ports configured as Promiscuous can communicate with
both the Isolated and Community ports

but maybe this article can help you:

http://www.dell.com/downloads/global/products/pwcnt/en/howto_config_private_vlans.pdf

Author

Commented:
Sirius0815,

Thank you for your input, although, I was not successful with L2 functions on a L3 switch.  

I received errors when trying to follow the directions, such as:
---------------------------------------------------------------------------
console(config-if-vlan1)#ip address 10.230.78.0 /24                                                  
ERROR: Routing is not allowed on the Management VLAN.

console(config-if-vlan10)#private-vlan primary
                                           ^
% Invalid input detected at '^' marker.
---------------------------------------------------------------------------

In case the '^' isnt aligned properly - "private-vlan primary" doesn't exist.

Again, thank you for your time and input.

Commented:
Try this configuration

configure
vlan database
vlan  5,10,20
exit
hostname "corprouter"
stack
member 1 2
exit
ip address 10.230.78.5 255.255.255
ip routing
ip route 0.0.0.0 0.0.0.0 10.230.78.1
interface vlan 5
routing
ip address  10.230.78.2  255.255.255.0
ip vrrp 2
ip vrrp 2 mode
ip vrrp 2 ip 10.230.78.2
interface vlan 5
routing
ip address  172.16.1.1  255.255.255.0
ip vrrp 2
ip vrrp 2 mode
ip vrrp 2 ip 176.16.1.1
exit
interface vlan 20
routing
ip address  192.168.0.1  255.255.255.0
ip vrrp 20
ip vrrp 20 mode
ip vrrp 20 ip 192.168.0.1
exit
!
ip vrrp
!
interface ethernet 1/g1
description 'pix'
spanning-tree portfast
switchport access vlan 5
exit
interface ethernet 1/g11
description 'laptop'
spanning-tree portfast
switchport access vlan 10
exit
interface ethernet 1/g13
description 'servers'
spanning-tree portfast
switchport access vlan 5
exit
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I found another configuration that works real well. rtsai123 - I haven't tried your configuration yet, and appreciate you input.

This configuration is called - one armed router or a router on a stick.
http://en.wikipedia.org/wiki/One-armed_router



!Current Configuration:
!System Description "Dell 48 Port Gigabit Ethernet, 2.1.0.13, VxWorks5.5.1"
!System Software Version 2.1.0.13
!
configure
vlan database
vlan  10,20
exit
stack
member 1 2
exit
ip address 10.230.10.2 255.255.255.0
ip default-gateway 10.230.10.1
exit
interface vlan 10
routing
name "VLAN10"
exit
interface vlan 20
name "VLAN20"
exit
spanning-tree bpdu-protection
!
interface ethernet 1/g1
description 'PIX'
spanning-tree portfast
spanning-tree root-protection
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10 tagged
exit
!
interface ethernet 1/g6
description 'Segment1'
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general ingress-filtering disable
switchport general allowed vlan add 10 tagged
exit
!
interface ethernet 1/g7
description 'Segment2'
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general ingress-filtering disable
switchport general allowed vlan add 20 tagged
exit

Author

Commented:
Thanks again, though I did not test out your configuration and never have tried VRRP - I'm very interested in what it is now and will do some more research; though, my test is completed now I must continue to the main project - we are on a time crunch.  

Thanks again!
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.