Thanks.

After I have this setup I will then start to create essentially a new environment. New Active Directory forest,dns, etc etc

These lans are isolated as long as I don't have any routes setup from the old vlan/subnet to the new one, correct?

Whether they are isolated depends on where you are configuring the new vlan. You mentioned configuring a new SVI which suggests you are using a L3 switch ?

If you are and the same L3 switch has an SVI for the class B network then you may find they can route automatically. It really depends on the switch and whether it has ip routing enabled etc.

Can you provide a few more details ie. how is the current class B network routed, what device etc. and where are you confguring the new SVI ?

Jon

Our core is a 4500 and access switch is 3 x 3750 switches setup in a stack (connected via ether channel using 4 x 1gb connection)

We have hsrp setup on the 4500 with standby in the same device (not sure if there is any point having that stand by). ASA are 5500 series and GRE 2500 series.

So its my understanding that traffic flows like this (GRE part still learning);

Workstations > Core svi (default gateway) > ASA > internet

Or

Workstations > Core svi (default gateway) > ASA > GRE

So on your core switch you have an SVI for the class B vlan and you are proposing to add an SVI for the new class C vlan - is that correct ?

If that is correct and you want to make sure that the 2 networks cannot talk to each other you need to use acls on the SVIs to block traffic between them.

Can you confirm the above and also are you okay with the acl part or do you need a hand. If you do need help can you specify whether the new class C only needs to be blocked from the exisitng class B network but can still use the internet or whether you want to block the class C network from going anywhere.

Jon

Correct assumption regarding the svi's

My thinking was to block all traffic between the two vlans initially, as this will be a new test environment to start prior to becoming production.

Son I was was assuming I'd do it this way;

- acl to allow traffic to the asa for internet access

- block everything else

Then later simply take the acl out once the new AD is setup as I will probably need to create a trust and allow some users in the new environment access to the old until I can rebind everyone to the new forest.

I probably don't even need the acl to start with? I am just being cautious as I wasn't sure what (if anything) in the new DC's and DNS servers would broadcast to my old environment.

At some point though, workstations in one subnet will need to be able to access servers in the other as I can't migrate 200 users simultaneously from one domain to another.

Probably a good idea to initially use an acl initially on the new SVI when you test DHCP leases and internet access. As you say once this is done you can probably take it out when you need migrated clients to be able to talk to class B servers etc.

I can't really comment on the AD side of things ie. whether or not it is dangerous to have servers with a new AD being able to talk to servers with an old AD etc as i don't have any experience with that side of things.

Jon

Regarding AD, I don't believe it is. In fact think its going to be required to migrate them in a staggered manner.

The tricky part for me i think will be managing the change in the GRE tunnel setups once I get that far. This current config is just the Sydney office. I'll eventually need to do the same LAN WAN for Hong Kong, Taiwan, Singapore and India offices whilst maintaining connectivity with all our tunnels but think I will consult a CCIE for that.

Its turning out to be a great learning experience.