Unroutable VLANs

jaye15394 · ‎05-21-2008

Hi,

I have a pretty simple network setup with multiple VLANs only using Static routing. We only have one default static pointing outbound. There are a few VLANs suchs as a "backup" network and "iscsi" network that we'd rather not have reachability to and from the rest of the network, since no one besides IT really needs to reach it.

I was thinking of just allowing icmp/snmp/etc inbound on those particular SVIs for NetOps, but I wanted to know what other options or ideas anyone else has.

Thanks,

JayE

cisco_lad2004 · ‎05-21-2008

if you are after additional L2 isolation you could make use of Private VLANs.

HTH

Sam

jaye15394 · ‎05-21-2008

I'm not after l2 isolation. Just don't want those subnets to be accessible or routable to anyone but the IT departments. Just wondering if there is anything else besides ACLs...maybe something with routing?

srue · ‎05-21-2008

if your IT staff is in their own VLAN/subnet, you can set up policy routing/black hole routing to route traffic from the user subnets to the protected subnets to null0.

jaye15394 · ‎05-21-2008

That makes senese. I would just have to soure route everything to null 0 except the IT subnet. That would work.

I think I'm going to just stick to ACLs. I've been testing it today and it's not as bad as I thought and I may even isolate mgmt traffic to a single NMS box which would simplify the config even more.

Thanks for the suggestion!

JayE