Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
2
Replies

Catalyst 4507R VLANs

Go to solution
jwebber
Level 1
Level 1

‎02-28-2007 12:51 PM - edited ‎03-05-2019 02:38 PM

Got a question I should know the answer to. I have a 4507R with dual Sup II Plus. I have 5 layer 3 VLANs created. I have a business partner that has VPN access to our LAN. I need to give him access to a server, however, I do not want this server to be able to communicate with the rest of our LAN. My thought was to create a layer2 VLAN on the 4507R but I am not sure if layer 2 and layer 3 VLANs can coexist. Or am I better of creating another VLAN putting the server in the new VLAN and then using ACLs to restrict access.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-28-2007 11:42 PM

Hi Jim

I might be misunderstanding due to your terminology but i'm a little unclear what you mean by layer 3 vlans as opposed to layer 2 vlans.

Vlans work at layer 2. If you have 5 layer 3 vlans on your 4507R then you are probably talking about the SVI's that have ip addresses assigned to them. But you will still have to have these vlans created at layer 2 on the 4507R.

So if you want a layer 2 vlan on your switch i understand that to means you do not want to create a layer 3 interface for it. That's fine and it will work but if you do this some other device will have to do the routing for that vlan. Your options are

1) Create new vlan and give it an SVI interface. Readdress server and use acl's on SVI.

2) Use a vlan access-list which will allow you to permit or deny traffic to and from the server at the layer 2 level ie. the server can be in the same subnet as other servers but you can still use a vlan access-list. You wouldn't need to readdress the server.

3) Look at private vlans which will allow you to segregate the server within the same vlan.

If the server is purely accessed by teh 3rd party and you don't want the server talking to anything else within your LAN i would think about option 1 as you are in effect creating a poor man's DMZ.

HTH

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-28-2007 11:42 PM

Hi Jim

I might be misunderstanding due to your terminology but i'm a little unclear what you mean by layer 3 vlans as opposed to layer 2 vlans.

Vlans work at layer 2. If you have 5 layer 3 vlans on your 4507R then you are probably talking about the SVI's that have ip addresses assigned to them. But you will still have to have these vlans created at layer 2 on the 4507R.

So if you want a layer 2 vlan on your switch i understand that to means you do not want to create a layer 3 interface for it. That's fine and it will work but if you do this some other device will have to do the routing for that vlan. Your options are

1) Create new vlan and give it an SVI interface. Readdress server and use acl's on SVI.

2) Use a vlan access-list which will allow you to permit or deny traffic to and from the server at the layer 2 level ie. the server can be in the same subnet as other servers but you can still use a vlan access-list. You wouldn't need to readdress the server.

3) Look at private vlans which will allow you to segregate the server within the same vlan.

If the server is purely accessed by teh 3rd party and you don't want the server talking to anything else within your LAN i would think about option 1 as you are in effect creating a poor man's DMZ.

HTH

Jon

0 Helpful

Go to solution
jwebber
Level 1
Level 1
In response to Jon Marshall

‎03-01-2007 04:21 AM

Jon, thanks for the reply it did answer my question. Yes, I should have made my post much clearer and used proper teminology. I am using SVI's that have ip addresses assigned to them.

Option 1 is what I was thinking of doing. Thanks again for your help.

Jim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card