Catalyst 4507R VLANs

Answered Question

Got a question I should know the answer to. I have a 4507R with dual Sup II Plus. I have 5 layer 3 VLANs created. I have a business partner that has VPN access to our LAN. I need to give him access to a server, however, I do not want this server to be able to communicate with the rest of our LAN. My thought was to create a layer2 VLAN on the 4507R but I am not sure if layer 2 and layer 3 VLANs can coexist. Or am I better of creating another VLAN putting the server in the new VLAN and then using ACLs to restrict access.

Thanks.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 7 months ago

Hi Jim

I might be misunderstanding due to your terminology but i'm a little unclear what you mean by layer 3 vlans as opposed to layer 2 vlans.

Vlans work at layer 2. If you have 5 layer 3 vlans on your 4507R then you are probably talking about the SVI's that have ip addresses assigned to them. But you will still have to have these vlans created at layer 2 on the 4507R.

So if you want a layer 2 vlan on your switch i understand that to means you do not want to create a layer 3 interface for it. That's fine and it will work but if you do this some other device will have to do the routing for that vlan. Your options are

1) Create new vlan and give it an SVI interface. Readdress server and use acl's on SVI.

2) Use a vlan access-list which will allow you to permit or deny traffic to and from the server at the layer 2 level ie. the server can be in the same subnet as other servers but you can still use a vlan access-list. You wouldn't need to readdress the server.

3) Look at private vlans which will allow you to segregate the server within the same vlan.

If the server is purely accessed by teh 3rd party and you don't want the server talking to anything else within your LAN i would think about option 1 as you are in effect creating a poor man's DMZ.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 02/28/2007 - 23:42

Hi Jim

I might be misunderstanding due to your terminology but i'm a little unclear what you mean by layer 3 vlans as opposed to layer 2 vlans.

Vlans work at layer 2. If you have 5 layer 3 vlans on your 4507R then you are probably talking about the SVI's that have ip addresses assigned to them. But you will still have to have these vlans created at layer 2 on the 4507R.

So if you want a layer 2 vlan on your switch i understand that to means you do not want to create a layer 3 interface for it. That's fine and it will work but if you do this some other device will have to do the routing for that vlan. Your options are

1) Create new vlan and give it an SVI interface. Readdress server and use acl's on SVI.

2) Use a vlan access-list which will allow you to permit or deny traffic to and from the server at the layer 2 level ie. the server can be in the same subnet as other servers but you can still use a vlan access-list. You wouldn't need to readdress the server.

3) Look at private vlans which will allow you to segregate the server within the same vlan.

If the server is purely accessed by teh 3rd party and you don't want the server talking to anything else within your LAN i would think about option 1 as you are in effect creating a poor man's DMZ.

HTH

Jon

Actions

This Discussion