Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1031
Views
0
Helpful
5
Replies

Connect Test LAB to Production Network

kiran_m01
Level 1
Level 1

‎03-17-2015 11:09 AM - edited ‎03-07-2019 11:08 PM

I have a lab in a remote location, which is, as of now, accesible via console router. I want to connect this to production network, so that i am able to access without the console router. The physical setup would be like

Core --- Distribution ---- AccessSwitch---TestLAB (couple of switch connected to each other)

 

My concern: if i play in my test lab, there are chances that the broadcasts and STP floods might cripple my production network.

 

pelase suggest what precautions should i take?

 

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎03-17-2015 11:20 AM

I did a similar thing a while back and I used a firewall to connect to the lab.

So the outside interface of the firewall faced the lab and the inside faced production.

I used a completely different private IP range for the lab and because I didn't want those IPs in the production routing tables I used NAT on the firewall to translate the lab IPs into a spare IP subnet available in production.

You should definitely look to isolate your lab so that nay mistakes are not passed to production.

I wouldn't connect the lab to production with a L2 link because of STP, VTP etc. If you can't go the whole way of a firewall then you should look to use a L3 link if your lab switch supports it.

In addition using a separate VRF for your lab environment would be a good idea so any mistakes if you are playing around with the routing etc. does not affect the global production routing tables.

Jon

0 Helpful

kiran_m01
Level 1
Level 1
In response to Jon Marshall

‎03-19-2015 11:54 PM

would BPDU filters help here? can i completely block the exchange of STP packets between two switches?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to kiran_m01

‎03-20-2015 04:28 AM

Blocking the exchange of STP packets will do nothing to protect your production network from any issues you have in the lab.

I wouldn't use a L2 connection to connect a test lab up, too many things can go wrong.

Like I say, at a minimum I would use a L3 link.

What you want is an environment where if you get it all wrong the worse thing you have to do is go and reboot your lab devices not explain to your boss why the production network is down.

It's up to you in the end though.

Jon

0 Helpful

Andre Neethling
Level 4
Level 4
In response to Jon Marshall

‎03-20-2015 10:36 AM

I did this a while back with an OOOOOLLLLLLDDDD router. 2600 or something like that. I just gave the interface pointing to corporate an IP from production, then my own totally different private range on the other ethernet interface. Then I did a port forward to a PC for TCP 3389. No dynamic NAT from the Test LAN to production. When I needed to test, I just RDP the PC in the Lab, and do whatever I needed to from the remote session. And don't route Corporate to Lab, and nothing the other way either. Otherwise you can use a firewall like Jon suggested. 

0 Helpful

johnlloyd_13
Level 9
Level 9

‎03-21-2015 07:39 AM

hi,

personally, i would check the corporate IT policy if it's possible to do such a thing.

if someone finds out and tells the head of IT, you might get screwed.

our lab is completely isolated and we don't ever hook it up in a production network, although sometimes i attempted to do it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card