06-29-2017 10:29 PM
I have already 4 vlans configured in ICX-7750, now i want to create a new vlan on icx-7750 and want that vlan should not communicate with any other vlan. purpose of creating this vlan is to segregate the backup network in our datacenter.
so how can i acheive this, do i need to create a ACL for isolating the new vlan from rest of the traffic.
06-30-2017 05:45 AM
SSH@SWITCHNAME(config)#vlan 1234 name Backup by port
SSH@SWITCHNAME(config-vlan-1234))#untagged ethe x/x/x to x/x/x
Unless you want to trunk it with 802.1q then use "tagged"
Do NOT create the "router ve 1234" interface if you want it private. Your VLAN is now unreachable by others. If you setup routing then the VLAN tags get stripped off to route the packet, and a new Layer-2 Frame gets put on... No privacy doing that.
If you are using the Multi-Layer firmware and make the SVI, and configure it as a directly connected network on then the ICX-7750 will route for its directly connected networks. Of course, you could then statically let other devices know where to find the network(s) the ICX7750 has or setup dynamic routing protocols such as OSPF to redistribute it.
Regardless at this point if you can control traffic to/from the VLAN with access lists.
Here is how:
On a device with host 10.1.2.3, you can stop that traffic from going out. You could do it on IP. You could flip the direction to "In" instead of "out".... You can use the keyword "any" to describe everything etc.
ip access-list extended STOP
deny tcp host 10.1.2.3 eq 8530 10.34.0.0 0.0.255.255
permit ip any any
interface ve 1234
ip access-group STOP out
There is an implicit deny, so if you just permit things, whatever you permit gets through and everything else gets denied by defualt. The above should get the job done.