Unroutable VLANs

Unanswered Question
May 21st, 2008
User Badges:


I have a pretty simple network setup with multiple VLANs only using Static routing. We only have one default static pointing outbound. There are a few VLANs suchs as a "backup" network and "iscsi" network that we'd rather not have reachability to and from the rest of the network, since no one besides IT really needs to reach it.

I was thinking of just allowing icmp/snmp/etc inbound on those particular SVIs for NetOps, but I wanted to know what other options or ideas anyone else has.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
cisco_lad2004 Wed, 05/21/2008 - 04:48
User Badges:
  • Gold, 750 points or more

if you are after additional L2 isolation you could make use of Private VLANs.



jaye15394 Wed, 05/21/2008 - 05:28
User Badges:

I'm not after l2 isolation. Just don't want those subnets to be accessible or routable to anyone but the IT departments. Just wondering if there is anything else besides ACLs...maybe something with routing?

srue Wed, 05/21/2008 - 10:31
User Badges:
  • Blue, 1500 points or more

if your IT staff is in their own VLAN/subnet, you can set up policy routing/black hole routing to route traffic from the user subnets to the protected subnets to null0.

jaye15394 Wed, 05/21/2008 - 10:43
User Badges:

That makes senese. I would just have to soure route everything to null 0 except the IT subnet. That would work.

I think I'm going to just stick to ACLs. I've been testing it today and it's not as bad as I thought and I may even isolate mgmt traffic to a single NMS box which would simplify the config even more.

Thanks for the suggestion!



This Discussion