03-17-2015 11:09 AM - edited 03-07-2019 11:08 PM
I have a lab in a remote location, which is, as of now, accesible via console router. I want to connect this to production network, so that i am able to access without the console router. The physical setup would be like
Core --- Distribution ---- AccessSwitch---TestLAB (couple of switch connected to each other)
My concern: if i play in my test lab, there are chances that the broadcasts and STP floods might cripple my production network.
pelase suggest what precautions should i take?
03-17-2015 11:20 AM
I did a similar thing a while back and I used a firewall to connect to the lab.
So the outside interface of the firewall faced the lab and the inside faced production.
I used a completely different private IP range for the lab and because I didn't want those IPs in the production routing tables I used NAT on the firewall to translate the lab IPs into a spare IP subnet available in production.
You should definitely look to isolate your lab so that nay mistakes are not passed to production.
I wouldn't connect the lab to production with a L2 link because of STP, VTP etc. If you can't go the whole way of a firewall then you should look to use a L3 link if your lab switch supports it.
In addition using a separate VRF for your lab environment would be a good idea so any mistakes if you are playing around with the routing etc. does not affect the global production routing tables.
Jon
03-19-2015 11:54 PM
would BPDU filters help here? can i completely block the exchange of STP packets between two switches?
03-20-2015 04:28 AM
Blocking the exchange of STP packets will do nothing to protect your production network from any issues you have in the lab.
I wouldn't use a L2 connection to connect a test lab up, too many things can go wrong.
Like I say, at a minimum I would use a L3 link.
What you want is an environment where if you get it all wrong the worse thing you have to do is go and reboot your lab devices not explain to your boss why the production network is down.
It's up to you in the end though.
Jon
03-20-2015 10:36 AM
I did this a while back with an OOOOOLLLLLLDDDD router. 2600 or something like that. I just gave the interface pointing to corporate an IP from production, then my own totally different private range on the other ethernet interface. Then I did a port forward to a PC for TCP 3389. No dynamic NAT from the Test LAN to production. When I needed to test, I just RDP the PC in the Lab, and do whatever I needed to from the remote session. And don't route Corporate to Lab, and nothing the other way either. Otherwise you can use a firewall like Jon suggested.
03-21-2015 07:39 AM
hi,
personally, i would check the corporate IT policy if it's possible to do such a thing.
if someone finds out and tells the head of IT, you might get screwed.
our lab is completely isolated and we don't ever hook it up in a production network, although sometimes i attempted to do it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide