Scenario:
Internet <—-> Hardware firewall/router <—-> Cisco Catalyst 3560 switch (2 VLANs)
What is the best way to restrict traffic between servers within the same VLAN? Can I create ACL's on our switch for this?
Any advice would be appreciated.
Cisco – Restrict traffic between servers on same VLAN
cisconetworking
Related Solutions
Pardon, in your cut and pasted configs, you appear to be describing Gi0/48 - your uplink to your router, but in your question refer specifically to hosts connected to Gi0/18. I'm going to assume you're describing two different ports here. Further, I'm assuming from details in your config statements and question, that vlan 3 is being used for the 192.168.0.80/28 traffic. I'm going to assume that the vlan has already been declared on your 3560. (Check sh vlan)
First of all, your port Gi0/18 should be configured for access mode on vlan 3. Likely, something like this:
interface GigabitEthernet 0/18
switchport access vlan 3
switchport mode access
As far as for other recommendations. Will all/most of your traffic from your IP subnets be to and from the internet. Basically, If you have enough traffic between subnets, it may suit you to have the 3560 act as your internal router and then dedicate your 3825 to be your border router. The problem is that if your router is baring the entire load for all routing, then a packet from one subnet will arrive at your switch, then be forwarded via the dot1q to your trunk on some vlan X, the router then makes a routing decision and sends the same packet back along the dot1q trunk on some new vlan Y now destined for the destination machine. Btw, I'm simply describing the situation of internal traffic to your customers/organization that crosses your different subnets.
Instead, you can configure the 3560 at the, assuming normal conventions, first address of each vlan/subnet. E.g. 192.168.0.81 and enable ip routing. The next step is you create a new subnet specifically for between the router and switch. For convenience, i'd use something completely different, for example, 192.0.2.0/24 is reserved for documentation examples. Configure the router at 192.0.2.1 and the switch at 192.0.2.2. Have the switch use 192.0.2.1 as the default route. Configure the router to reach 192.168.0.0/16 via the switch at 192.0.2.2. If your network is small enough, static routes should be sufficient. No need for OSPF or anything.
Of course, this would be a rather dramatic change; but it has potential for being a large improvement. It all depends on the nature of your traffic.
For reference, cisco lists the Cisco Catalyst 3560G-48TS and Catalyst 3560G-48PS having a 38.7 Mpps forwarding rate and the Cisco 3825 as having 0.35Mpps forwarding rate. Mpps, just in case you don't know, is millions of packets per second.
It's not bandwidth, but it's how many 64 byte packet routing decisions the device can make a second. The length of the packet doesn't affect how long it takes to making a routing decision. So the peak performance in bits/bytes will be somewhere in a range. In terms of bandwidth, it means that 350kpps is 180Mbps w/ 64byte packets and 4.2Gbps w/ 1500 byte packets. Mind you, that's in bits per second, so think of it as 18 Megabytes or 420 Megabytes per second in regular file-size terms.
In theory, this means that your 3560G can route somewhere between 19.8Gbps and 464Gbps or rougly 2GBps and 45GBps.
Actually, looking at those numbers, you most definitely should consider the plan I described above. Dedicate your 3825 to handling, presumably, NAT'd external traffic and let your 3560 handle the rest.
I'm sorry this is so long; I'm bored at work waiting for tapes to finish. Cheers.
Once you've identified your exact requirements above:
Each VLAN needs to be created before traffic will pass:
Switch(config)# vlan [number]
Switch(config-vlan)# name [name]
For each trunk (>1 vlan) port, config as follows. Let's say 1000 is native (untagged) VLAN and 2000-2100 and 3000 are carried:
Switch(config)# int gi0/1
Switch(config-interface)# switchport mode trunk
Switch(config-interface)# switchport trunk allowed vlan 1000,2000-2100,3000
Switch(config-interface)# switchport trunk native vlan 1000
For each access (1 vlan, untagged) port, config as follows:
Switch(config)# int gi0/2
Switch(config-interface)# switchport mode access
Switch(config-interface)# switchport access vlan 1000
You can also specify and interface range: Switch(config)# int range gi0/1 - 10, gi1/1
And shorten commands if the keywords are still unique: Switch(config-interface)# sw tr na vl 1000
Best Answer
With private vlans (pvlans) you can prevent hosts talking to each other even if they're in the same VLAN. There are extensive docs in the Cisco website :-)