Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
1
Helpful
7
Replies

How can I isolate an inside network

dbuckley77
Level 1
Level 1

‎03-13-2023 06:40 AM

I am trying to create an inside network that will be isolated from all of our other inside networks.  Basically we have 2960X access layer switches doing layer two that connect to a 6807-XL core switch doing all our layer 3 stuff with VSS.  We need to create a new vlanned network that will be able to go from one access switch through our 6807 core to other access layer switches without being added to the routing table so that none of the other side networks on our switching network will be able to talk to this network and vice versa.  What is the best way to do this?  Also need a DHCP server to live on this network what would be the best recomendations for that?

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎03-13-2023 07:05 AM

without being added to the routing table <<- this will solve via NATing 
but to be honest I dont fully get your Q here ? 

0 Helpful

dbuckley77
Level 1
Level 1
In response to MHM Cisco World

‎03-13-2023 07:25 AM - edited ‎03-13-2023 07:28 AM

Sorry if my post was not clear.  We have a bunch of inside networks that are behind our firewall where the layer 3 gateway lives on our 6807 switch which is running vss and then gets passed off to layer 2 via our 2960X access layers switches.   Normally anytime I would add a new network I would create a new vlan for it and configure the vlan interface to be the layer 3 gateway on our core switch.  The new network would be added to the routing table as a directly connected network  and be accessible by all of the other inside networks in the routing table.  I would like to create a new network that traverses the same switches our other networks do but is not routable to/from our other networks.  We only want clients on this new network to see other.  WE want to completely isolate this network. It's not something I have ever done before but it seems like there'd be a fairly easy way to accomplish this.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dbuckley77

‎03-13-2023 07:51 AM

VRF(-lite).

0 Helpful

dbuckley77
Level 1
Level 1
In response to Joseph W. Doherty

‎03-13-2023 09:51 AM

I am not familiar with vrf lite.  IS there a document you could reference?

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dbuckley77

‎03-13-2023 02:59 PM

Have you tried searching Cisco's main site for, without quotes, "vrf-lite"?

Should find lots of documentation, of many types, even including some videos.

0 Helpful

mlund
Level 7
Level 7

‎03-15-2023 08:00 AM

If this is totally local, and just one vlan, then add the vlan (L2), but do not add interface vlan (L3). If more than one vlan, then @Joseph W. Doherty has give you the correct way to go.

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mlund

‎03-15-2023 08:46 AM

@mlund makes an excellent suggestion.  If the to be added VLAN, will all just be one L2 broadcast domain, and needs no routing, at all, you can pass along that VLAN, as just another VLAN.  Without any L3 interfaces, this VLAN would be totally isolated.

Regarding supporting DHCP, such a service would need a "foot", i.e. presence, in the same L2 broadcast domain. In other words, your DHCP would need a NIC and host IP address, L2 broadcast domain (which is what DHCP expects unless we get into DHCP relays).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card