What is the best way to completely segregate one VLAN?

Steve Sage · ‎01-26-2013

I have 3750x with existing small business server and all computers on one vlan. This vlan connects to other switches with fibre trunk sfp's.

I want build a new forest utilising vlans in the normal way, what is the easiest way to segregate this vlan?

The site is running 24/7

Any ideas welcome!

Sent from Cisco Technical Support iPad App

George Stefanick · ‎01-26-2013

How big of a install is this ? Best pratices tell us that 250 devices per subnet / vlan is ideal. If you are looling for segemntaion ideas here are a few thoughts.

1. Segment by location. Perhaps floors 1 is on vlan 100. Floor 2 is on vlan 200.

2. Segment by function. Perhaps account area is vlan 100 and procution is vlan 200.

3. Segment by services. Perhaps all pcs get vlan 100 and servers get vlan 200 printers get vlan 300

You can secure and further segment vlans with ACLs. Blocking types of traffic from talk to other traffic, meaning VLANS

You can use VTP to publish VLANs across your network.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Steve Sage · ‎01-26-2013

Thank you, what I am looking to do is make sure that the 15 vlan with the existing network cannot communicate in any way to the other vlans, because it has a small business server which must not detect the presents of my new domain controller that will eventually replace the sbs. The info I have found regarding private vlans looks quite complicated to apply to an existing vlan on the production network.

Steve

Sent from Cisco Technical Support iPad App

donlindsay70 · ‎01-26-2013

There are a number of options

1. Separate physical switching.

2. You could use a VRF for the new AD domain vlans and assign the vlans for the new domain to the vrf. You will need a L3 switch which supports VRFs and has the appropriate IOS license set ie advipservices

3. Define the new vlans on a firewall along with the Vlan gateway addresses. You can then create the vlans on the core and trunk them to the firewall interface. Performance wise all your inter-vlan routing would be via the firewall.

4. Define the ports within the new vlans as private community vlans on the L3 core switch. You would be limited to hosts connected to just the core switch.

5. If you only have one vlan, then don't create the vlan gateway on the core. This would restrict all hosts to just that vlan. This would not work if you need more that 1 vlan and would need to ensure that no one ever created the gateway on the core switch in the future.

Sent from Cisco Technical Support iPad App

Steve Sage · ‎01-28-2013

Thanks, my core switch is 3750x ip base not advanced. Could I use access control to block everything in and out to vlan15?

Sent from Cisco Technical Support iPad App

donlindsay70 · ‎01-30-2013

You should be able to use vacls on your 3750-x with the ip base image

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/swacl.html#wp1543691

See the section on configuring vlan maps

Sent from Cisco Technical Support iPad App

Alessio Andreoli · ‎02-02-2013

Private Vlans and vlan-mapping if the device can't apply port protection or similar techniques

Alessio

Sent from Cisco Technical Support iPad App