Unroutable VLANs

Unanswered Question
May 21st, 2008


I have a pretty simple network setup with multiple VLANs only using Static routing. We only have one default static pointing outbound. There are a few VLANs suchs as a "backup" network and "iscsi" network that we'd rather not have reachability to and from the rest of the network, since no one besides IT really needs to reach it.

I was thinking of just allowing icmp/snmp/etc inbound on those particular SVIs for NetOps, but I wanted to know what other options or ideas anyone else has.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
cisco_lad2004 Wed, 05/21/2008 - 04:48

if you are after additional L2 isolation you could make use of Private VLANs.



jaye15394 Wed, 05/21/2008 - 05:28

I'm not after l2 isolation. Just don't want those subnets to be accessible or routable to anyone but the IT departments. Just wondering if there is anything else besides ACLs...maybe something with routing?

srue Wed, 05/21/2008 - 10:31

if your IT staff is in their own VLAN/subnet, you can set up policy routing/black hole routing to route traffic from the user subnets to the protected subnets to null0.

jaye15394 Wed, 05/21/2008 - 10:43

That makes senese. I would just have to soure route everything to null 0 except the IT subnet. That would work.

I think I'm going to just stick to ACLs. I've been testing it today and it's not as bad as I thought and I may even isolate mgmt traffic to a single NMS box which would simplify the config even more.

Thanks for the suggestion!



This Discussion