VLan without IP address

Answered Question
Oct 29th, 2010

I would like to create
two vlans on one switch, one without an IP address.  Here's why:

One vlan would be outside of my firewall.  It would have the Internet connection, connection to the firewall, and the outside card of my video bridge.  The IP addresses connected to that switch would be 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34.  The other vlan is for the DMZ for my firewall.  The IP addresses in there are in the 168.xxx.xxx.15-30 range.  I would like to assign an IP address to one VLAN for management purposes, but I don't see how I can assign one to the second VLAN because of overlapping IP addresses.  Right now these connections are on different switches.  Can I do this?

Carl Carpenter
Acting Director, Information Services
Hill Country Community MHMR Center
(830)258-5414

I have this problem too.
0 votes
Correct Answer by James Hawkins about 4 years 10 months ago

Hi Carl,

I am a bit confused by the IP addressing you describe. It sounds as if you have a range of registered IP addresses that you have further subnetted to assign between your external and DMZ networks but I cannot see how you can have 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34 on the external and 168.xxx.xxx.15-30 on the DMZ.

It would be helpful if you can give more details of the addressing scheme including subnet masks and confirming whether the first three octets are common (i.e. xxx.xxx has the same value on the external and DMZ networks). It would also be helpful if you can post which switch and software image you have.

Regardless of the addressing scheme you use I would urge you not to assign an IP address to any switch VLAN that is external or a DMZ. I would create a third VLAN specifically for management and assign an internal IP address to it.

Hope this helps.

Correct Answer by Sebastian Helmer about 4 years 10 months ago

Hi Carl,

I'm not sure If I understand you.

You can create just a vlan. Now you have a "Layer 2 " vlan just to carry traffic through the switch. "show vlan" will show you these vlans. This VLAN has no IP.

If you want create a vlan with an IP, you need to create a vlan like in point 1 and you need to create a "interface vlan X" to assign an IP, here you can also use a subnetmask to define smaller networks.

Hope that helps you, if it is not clear, just let me know.

regards,
Sebastian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Correct Answer
Sebastian Helmer Fri, 10/29/2010 - 10:03

Hi Carl,

I'm not sure If I understand you.

You can create just a vlan. Now you have a "Layer 2 " vlan just to carry traffic through the switch. "show vlan" will show you these vlans. This VLAN has no IP.

If you want create a vlan with an IP, you need to create a vlan like in point 1 and you need to create a "interface vlan X" to assign an IP, here you can also use a subnetmask to define smaller networks.

Hope that helps you, if it is not clear, just let me know.

regards,
Sebastian

Correct Answer
James Hawkins Fri, 10/29/2010 - 10:06

Hi Carl,

I am a bit confused by the IP addressing you describe. It sounds as if you have a range of registered IP addresses that you have further subnetted to assign between your external and DMZ networks but I cannot see how you can have 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34 on the external and 168.xxx.xxx.15-30 on the DMZ.

It would be helpful if you can give more details of the addressing scheme including subnet masks and confirming whether the first three octets are common (i.e. xxx.xxx has the same value on the external and DMZ networks). It would also be helpful if you can post which switch and software image you have.

Regardless of the addressing scheme you use I would urge you not to assign an IP address to any switch VLAN that is external or a DMZ. I would create a third VLAN specifically for management and assign an internal IP address to it.

Hope this helps.

Jon Marshall Fri, 10/29/2010 - 11:09

Carl

If i understand you correctly a typical setup for this is to use private RFC addressing for your DMZ (eg 192.168.x.x addressing) and then if you want the DMZ servers to be reachable from the internet you use NAT on the firewall eg. from an ASA -

static (dmz,outside) 168.x.x.x 192.168.5.10 netmask 255.255.255.255 would allow the DMZ server 192.168.5.10 to be accessed from the internet on the 168.x.x.x address.

Jon

cgcarpenter Fri, 10/29/2010 - 11:26

Great replies and very helpful.  I particularly like James' suggestion to put a third vlan on for management purposes.  And yes, the first three octets are all the same.  Thanks for the help.

Actions

This Discussion

Related Content