Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
0
Helpful
2
Replies

Configuration assistance please

NormMuelleman
Level 1
Level 1

‎01-09-2013 02:52 PM - edited ‎03-07-2019 11:00 AM

I am probably waaay over thinking this issue. That, or it being 3:15 am could be the problem

We run SCCM to patch devices. SCCM server is on the server farm. There is a switch connecting the server farm devices to the core switch.

From the core, there are several distro switches. D1 feeds several access switches, one of which is our lab where we configure new devices onto the network. They are connected to switch A1.

We want the devices to be able to connect to the SCCM server to obtain the latest patches, etc. But we dont want the devices to actually hit the network and out to the internet prior to patching.

We used to have the patch server in the same room as the config lab. We had them in one vlan, and life was good. The server is now in another bldg.  

I was thinking of PVLANS to accomplish this, but PVLANs are local to one switch. So I'm thinking an ACL would be used to permit the devices on A1 to only be allowed to get to the SCCM server.

Or, I was thinking of creating a separate vlan, say vlan 123. Make vlan 123 an SVI. We dont use VTP (it's transparent), so I'd put vlan 123 on the core, D1, and A1. but then the server is already in it's own vlan. So inter-vlan routing occurs on the core, so they should connect, right?

I gotta quit doing this in the middle of the night..but any suggestions would be greatly appreciated

Labels:
0 Helpful
2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

‎01-09-2013 11:51 PM

Hi,

We want the devices to be able to connect to the SCCM server to obtain  the latest patches, etc. But we dont want the devices to actually hit  the network and out to the internet prior to patching.

I think the only way to achieve this is  by using NAC .

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

danielciscoswart
Level 1
Level 1

‎01-10-2013 12:10 AM

Hi Norm,

I think for what you want to do the that ACL's would do the trick. So the servers getting the patches should be segmented from th SCCM server. Then where ever you do the inter vlan routing you can create your ACL's to allow only updates from the SCCM server and not your internet breakout. But this is also a good measure to lock down services accessing the net from the servers.

Pvlans would be good if you want to segment the servers from the internal network and each other.

HTH

Daniel Cisco Swart

0 Helpful
Customers Also Viewed These Support Documents