05-07-2012 09:03 AM - edited 03-07-2019 06:33 AM
My core switch is a 6509-e and my IDF closets have 3750's.
I have a couple of vlans currently setup, that can communicate with each other.
VTP is setup Client/Server where as my core is Server, all IDF's are Client.
What i'm trying to do is create an isolated VLAN. I want to setup a DHCP scope and use helper address. When i plug in a client to that VLAN, i want it to get an IP, but not have any other network access.
Is this possible to do without switching to Transparent mode?
If not - what reprocussions will i see by switching to transparent mode?
05-07-2012 11:11 AM
Hi Mike,
You can use VACL to isolating a vlan from rest of the networks, please read this thread below.
https://supportforums.cisco.com/message/3581631#3581631
Please rate helpful post.
thanks
Rizwan Rafeek
05-09-2012 07:44 PM
Please rate helpful post.
thanks
05-21-2012 10:22 PM
Why not set up a private vlan? Although you would need to change that particular switch to transparent mode, since vtp can't pass private vlan info, it would be the most secure setup. As previously mentioned, vacl would work too but not as secure.
Sent from Cisco Technical Support iPad App
05-28-2012 11:21 PM
Hi
above it is written correctly and there is one more simple way
to create an isolated VLAN just do not create default gateway.
setup a DHCP scope whithout default gateway or use wrong default gateway.
and so when you plug in a client to that VLAN, it to get an IP, but not have any other network access.
06-09-2012 11:37 PM
Also you can create VTP pruning to protect the isloated vlan information to be shared to the other vlans and vice versa....
06-10-2012 12:04 AM
Refer the below document on pruning....
http://www.firewall.cx/networking-topics/vlan-networks/virtual-trunk-protocol/225-vtp-pruning.html
06-17-2012 04:31 AM
Hi Mike,
Please rate helpful post, if this has been resolved already.
thanks.
07-05-2012 04:24 AM
Hi Mike,
You can keep the switch as VTP client and achieve this. Follow the below steps,
=> Configure a access list allowing IP's that the isolated VLAN has to access [DHCP server]
=> Deny all other traffic in the access list
=> Apply the Access list in SVI interface of that VLAN
Using the above you should be able to isolate the VLAN from access the other vlan's.
If you would like to block traffic between hosts in the same vlan then you can use VLAN access Map [VACL]
Hope this helps!!!
08-01-2012 01:46 AM
Hi Mike,
Hope this is yor questions answer:
I am using like this:
Core switch config:
service password-encryption
!
hostname nnXCI001
!
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
!
username xxxxx
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750v2-48ts
system mtu routing 1500
vtp domain location
vtp mode transparent
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name xxx.xxxx.com
no ip dhcp use vrf connected
!
!
ip dhcp snooping vlan 21-26
ip dhcp snooping
!
spanning-tree mode mst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
spanning-tree uplinkfast
!
spanning-tree mst configuration
name location
revision 1
instance 1 vlan 1, 21-26,
!
spanning-tree mst 0-1 priority 24576
spanning-tree vlan 1,21-26 priority 24576
!
vlan internal allocation policy ascending
!
vlan 7
name FW-Transfer
!
vlan 21
name Data_VLAN21
!
vlan 22
name Data_VLAN22
!
vlan 23
name Data_VLAN23
!
vlan 24
name Data_VLAN24
!
vlan 25
name Data_VLAN25
!
vlan 26
name Data_VLAN26
!
ip tftp source-interface Vlan1
ip ssh version 2
!.
.
.
all Ports
.
Int fa0/1
Description **** DHCP 10.xx.21.1 server****
ip dhcp snooping trst
.
.
.
.
.
interface Vlan1
ip address 10.xx.1.1 255.255.255.0
!
interface Vlan7
ip address 10.xx.7.1 255.255.255.0
!
interface Vlan21
ip address 10.xx.21.254 255.255.255.0
!
interface Vlan22
ip address 10.xx.22.254 255.255.255.0
ip helper-address 10.XX.21.1
!
interface Vlan23
ip address 10.xx.23.254 255.255.255.0
ip helper-address 10.XX.21.1
!
interface Vlan24
ip address 10.xx.24.254 255.255.255.0
ip helper-address 10.XX.21.1
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.xx.7.254
no ip http server
ip http authentication local
ip http secure-server
!
end
this is just the example.
May be u can use like this.
Regards
Please rate if it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide