09-16-2011 07:34 AM - edited 03-07-2019 02:16 AM
Can you restrict a vlan from commuicating with vlan1 (default vlan) when they have both been configured on the same Layer 3 Cisco switch?
I'm trying to create a vlan consisting of only two ports that will allow a server in our DMZ (192.168.2.2/24) to communicate with a server
on our LAN (10.1.2.10/16). I thought by creating a vlan on our core switch (C4507R) and configuring the second NIC's on these servers as member of the new vlan that I would be able to create a private vlan. My concern is that to restrict commucation to and from this new vlan I would need to create deny ACL's, but am not really sure of the resulting effects of denying access to the 10.1.1.1 vlan when this is the IP of the Switch that all vlans were configured and currently reside on.
The server that is on our internal LAN has one NIC configured as part of the default vlan1.
I know we can allow the server in our DMZ to commuincate with the server on our internal LAN via the current infrastructure that's in place, but right now there is a 10/100 connection that is slowing down our data transfer between the two servers. We wanted to set up a quick solution to provide them with Gig connection to each other.
Any help or insight is greatly appreciated.
Thanks,
Mike
Solved! Go to Solution.
09-16-2011 11:04 AM
Mike
Can you just clarify that the 2nd NIC on each of the servers to be used for private communication is not going to have an address from either the 10.1.x.x network or the 192.168.2.x network ie. you are going to be using a completely new vlan and subnet ?
If so then as already discussed, just use a new vlan and /30 subnet and then do not create a L3 vlan interface for it. The 2 servers will be able to talk to each other via this new subnet.
Just make sure that IP routing/forwarding is not enabled on either server so they cannot pass traffic between the 2 NICs.
If i have misunderstood please clarify.
Jon
09-16-2011 11:21 AM
Mike
No it doesn't and in fact you wouldn't want another default-gateway as this would confuse the servers. They should only have one default-gateway ie. for the main NIC connection.
Jon
09-16-2011 09:07 AM
Mike
If you just want these 2 servers to be only able to communicate with each other on the 192.168.2.0/24 network then simply don't create a L3 vlan interface for the 192.168.2.0/24 network.
If there are other devices in the 192.168.2.0/24 network then perhaps you could explain a bit further exactly what you want.
Jon
09-16-2011 10:17 AM
Andy,
Thanks for the quick response. So just to be clear...Do I need to define a default gateway on the server NIC's? ....or will they be able to commuicate on their own vlan with simply the IP and /30 subnet mask?
Thanks,
Mike
09-16-2011 11:27 AM
Mike,
No, you do not need to assign a default gateway to the 2nd NIC. In fact, be sure that you don't assign one or it could cause routing issues with the other NIC. You will only have 2 usable addresses for hosts in the /30 plus the identifier and broadcast addresses. With the 2nd NIC of each server being in the same /30 subnet, they will be able to communicate over the link without a router/gateway. Also, make sure that the new /30 subnet doesn't overlap with any other subnets in your network or it will cause issues with these 2 servers being able to communicate with the 4 IP addresses that make up that /30.
Also, just an FYI... If this is something you need permanently, you may want to consier upgrading equipment to get the gigabit bandwith on your regular LAN or even using NIC teaming. With one of these servers being in your DMZ and the other on the internal network, it's not the best idea to directly connect them and bypass any firewallls, IDS, etc that may be in place.
Andy
09-16-2011 11:34 AM
Thanks for the clarification Andy. Very much appreciated.
Regards,
Mike
09-16-2011 09:07 AM
Hi Mike,
If you don't create a VLAN interface with an IP address for the new vlan, you don't have to worry about it comminicating with your other VLANs. Just create the VLAN and assign your 2 ports to it. Then assign the 2nd NIC of the two servers addresses in a /30 subnet that the can commincate with each other on. You could also just run a crossover cable between the two servers and assign the /30 addresses to them to avoid having to change anythign on your switches.
HTH
Andy
09-16-2011 10:24 AM
Sorry, I switched my responses up (Andy see my response to Jon).
Jon, there are other devices in the 192.168.2.0/24 network. I was just trying to get a direct/private line of communication between those two servers without effecting anything else (one transfers a large amount of data to the other). Our main goal is only to speed up the transfer rate between the two by bypassing our current infrastructure.
Thanks,
Mike
09-16-2011 11:04 AM
Mike
Can you just clarify that the 2nd NIC on each of the servers to be used for private communication is not going to have an address from either the 10.1.x.x network or the 192.168.2.x network ie. you are going to be using a completely new vlan and subnet ?
If so then as already discussed, just use a new vlan and /30 subnet and then do not create a L3 vlan interface for it. The 2 servers will be able to talk to each other via this new subnet.
Just make sure that IP routing/forwarding is not enabled on either server so they cannot pass traffic between the 2 NICs.
If i have misunderstood please clarify.
Jon
09-16-2011 11:19 AM
Jon,
The scenario you described above is correct. I will try this configuration out shortly, but just to confirm...the server NIC's conifurged with the /30 subnet do not require a default gateway?
Thanks,
Mike
09-16-2011 11:21 AM
Mike
No it doesn't and in fact you wouldn't want another default-gateway as this would confuse the servers. They should only have one default-gateway ie. for the main NIC connection.
Jon
09-16-2011 11:28 AM
That actually makes perfect sense. Thanks Jon!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide