Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1873
Views
0
Helpful
10
Replies

Vlan isolation

Go to solution
mp_merchants
Level 1
Level 1

‎09-16-2011 07:34 AM - edited ‎03-07-2019 02:16 AM

Can you restrict a vlan from commuicating with vlan1 (default vlan) when they have both been configured on the same Layer 3 Cisco switch?

I'm trying to create a vlan consisting of only two ports that will allow a server in our DMZ (192.168.2.2/24) to communicate with a server

on our LAN (10.1.2.10/16).  I thought by creating a vlan on our core switch (C4507R) and configuring the second NIC's on these servers as member of the new vlan that I would be able to create a private vlan.  My concern is that to restrict commucation to and from this new vlan I would need to create deny ACL's, but am not really sure of the resulting effects of denying access to the 10.1.1.1 vlan when this is the IP of the Switch that all vlans were configured and currently reside on.

The server that is on our internal LAN has one NIC configured as part of the default vlan1.

I know we can allow the server in our DMZ to commuincate with the server on our internal LAN via the current infrastructure that's in place, but right now there is a 10/100 connection that is slowing down our data transfer between the two servers.  We wanted to set up a quick solution to provide them with Gig connection to each other.

Any help or insight is greatly appreciated.

Thanks,

Mike

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mp_merchants

‎09-16-2011 11:04 AM

Mike

Can you just clarify that the 2nd NIC on each of the servers to be used for private communication is not going to have an address from either the 10.1.x.x network or the 192.168.2.x network ie. you are going to be using a completely new vlan and subnet ?

If so then as already discussed, just use a new vlan and /30 subnet and then do not create a L3 vlan interface for it. The 2 servers will be able to talk to each other via this new subnet.

Just make sure that IP routing/forwarding is not enabled on either server so they cannot pass traffic between the 2 NICs.

If i have misunderstood please clarify.

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mp_merchants

‎09-16-2011 11:21 AM

Mike

No it doesn't and in fact you wouldn't want another default-gateway as this would confuse the servers. They should only have one default-gateway ie. for the main NIC connection.

Jon

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-16-2011 09:07 AM

Mike

If you just want these 2 servers to be only able to communicate with each other on the 192.168.2.0/24 network then simply don't create a L3 vlan interface for the 192.168.2.0/24 network.

If there are other devices in the 192.168.2.0/24 network then perhaps you could explain a bit further exactly what you want.

Jon

0 Helpful

Go to solution
mp_merchants
Level 1
Level 1
In response to Jon Marshall

‎09-16-2011 10:17 AM


Andy,

Thanks for the quick response.  So just to be clear...Do I need to define a default gateway on the server NIC's?  ....or will they be able to commuicate on their own vlan with simply the IP and /30 subnet mask?

Thanks,

Mike

0 Helpful

Go to solution
arudolph_emd
Level 1
Level 1
In response to Jon Marshall

‎09-16-2011 11:27 AM

Mike,

No, you do not need to assign a default gateway to the 2nd NIC.  In fact, be sure that you don't assign one or it could cause routing issues with the other NIC.  You will only have 2 usable addresses for hosts in the /30 plus the identifier and broadcast addresses.  With the 2nd NIC of each server being in the same /30 subnet, they will be able to communicate over the link without a router/gateway.  Also, make sure that the new /30 subnet doesn't overlap with any other subnets in your network or it will cause issues with these 2 servers being able to communicate with the 4 IP addresses that make up that /30.

Also, just an FYI...  If this is something you need permanently, you may want to consier upgrading equipment to get the gigabit bandwith on your regular LAN or even using NIC teaming.  With one of these servers being in your DMZ and the other on the internal network, it's not the best idea to directly connect them and bypass any firewallls, IDS, etc that may be in place.

Andy

0 Helpful

Go to solution
mp_merchants
Level 1
Level 1
In response to arudolph_emd

‎09-16-2011 11:34 AM

Thanks for the clarification Andy.  Very much appreciated.

Regards,

Mike

0 Helpful

Go to solution
arudolph_emd
Level 1
Level 1

‎09-16-2011 09:07 AM

Hi Mike,

If you don't create a VLAN interface with an IP address for the new vlan, you don't have to worry about it comminicating with your other VLANs.  Just create the VLAN and assign your 2 ports to it.  Then assign the 2nd NIC of the two servers addresses in a /30 subnet that the can commincate with each other on.  You could also just run a crossover cable between the two servers and assign the /30 addresses to them to avoid having to change anythign on your switches.

HTH

Andy

0 Helpful

Go to solution
mp_merchants
Level 1
Level 1
In response to arudolph_emd

‎09-16-2011 10:24 AM

Sorry, I switched my responses up (Andy see my response to Jon).

Jon, there are other devices in the 192.168.2.0/24 network.  I was just trying to get a direct/private line of communication between those two servers without effecting anything else (one transfers a large amount of data to the other).  Our main goal is only to speed up the transfer rate between the two by bypassing our current infrastructure.

Thanks,

Mike

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mp_merchants

‎09-16-2011 11:04 AM

Mike

Can you just clarify that the 2nd NIC on each of the servers to be used for private communication is not going to have an address from either the 10.1.x.x network or the 192.168.2.x network ie. you are going to be using a completely new vlan and subnet ?

If so then as already discussed, just use a new vlan and /30 subnet and then do not create a L3 vlan interface for it. The 2 servers will be able to talk to each other via this new subnet.

Just make sure that IP routing/forwarding is not enabled on either server so they cannot pass traffic between the 2 NICs.

If i have misunderstood please clarify.

Jon

0 Helpful

Go to solution
mp_merchants
Level 1
Level 1
In response to Jon Marshall

‎09-16-2011 11:19 AM

Jon, 

The scenario you described above is correct.  I will try this configuration out shortly, but just to confirm...the server NIC's conifurged with the /30 subnet do not require a default gateway?

Thanks,

Mike

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mp_merchants

‎09-16-2011 11:21 AM

Mike

No it doesn't and in fact you wouldn't want another default-gateway as this would confuse the servers. They should only have one default-gateway ie. for the main NIC connection.

Jon

0 Helpful

Go to solution
mp_merchants
Level 1
Level 1
In response to Jon Marshall

‎09-16-2011 11:28 AM

That actually makes perfect sense.  Thanks Jon!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card