Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
2
Replies

Isolating a single VLAN from the VTP domain

drumrb0y
Level 1
Level 1

‎03-11-2005 07:28 PM - edited ‎03-02-2019 10:07 PM

I have a single VTP domain with over 30 VLANs; I was asked to isolate an unused VLAN from all VTP L3 switching in the core switch (a 6500) for MS Active Directory domain testing that cannot interfere with the production domain.

I'd like to verify whether removing the IP address from the VLAN is all that is necessary to isolate the subnet from L3 switching between VLANs...

Also, with this isolation, will the VLAN still have Internet access via the default route in the 6500, and will VPN clients who login still be able to reach this VLAN?

I need to retain Internet and VPN Client access to this subnet, but otherwise keep it logically severed from the other VLANs.

Advice?

Thanks in advance,

Marc

Labels:
0 Helpful
2 Replies 2

sstudsdahl
Level 4
Level 4

‎03-11-2005 08:51 PM

Marc,

If you remove the IP address from the VLAN interface, it will isolate that VLAN from other VLAN's from a layer 3 perspective. Doing this will not permit any IP communication to occur to this subnet. Based upon your requirement to retain Internet and VPN access to the subnet, you will not be able to remove the IP address from the VLAN interface.

With your requirements to still retain some measure of connectivity to this subnet, you best option will be to implement an ACL that restricts that access to subnets you do not want it to communicate with. The ACL, in general terms, will have entries similar to the example below.

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

In this example, I am using the 192.168.1.0/24 subnet as the isolated subnet, 192.168.2.0/24 as the subnet assigned to your VPN clients, and 172.16.0.0/16 as your internal network. The first line above allow the subnet that you are isolating to talk to the IP addresses that are assigned to your VPN clients. The second line will deny the isoalted VLAN from communicating to any of your internal IP address space, and the third line will allow the isolated subnet to communicate to the Internet.

Steve

0 Helpful

TerheunJ
Level 1
Level 1

‎03-13-2005 09:40 AM

Greetings,

First, if you disable the SVI on the 'test' VLAN, then all interaction between this vlan and other vlans, or the outside world is effectivly disabled.

If your going to have VPN access your going to need the SVI interface active.

There are a number of scenario's for separating your domains. I would create this test domain in a new forest. This will keep your 'live' AD servers from interaction. Your VPN access will depend on what infrastructure you are going to deploy to support this new 'test' domain. Using access lists to only allow defined traffic and excluding everything else (by default) would be a nice safe policy.

Cheers,

J Terheun

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card