10-29-2010 09:51 AM - edited 03-06-2019 01:47 PM
I would like to create
two vlans on one switch, one without an IP address. Here's why:
One vlan would be outside of my firewall. It would have the Internet connection, connection to the firewall, and the outside card of my video bridge. The IP addresses connected to that switch would be 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34. The other vlan is for the DMZ for my firewall. The IP addresses in there are in the 168.xxx.xxx.15-30 range. I would like to assign an IP address to one VLAN for management purposes, but I don't see how I can assign one to the second VLAN because of overlapping IP addresses. Right now these connections are on different switches. Can I do this?
Carl Carpenter
Acting Director, Information Services
Hill Country Community MHMR Center
(830)258-5414
Solved! Go to Solution.
10-29-2010 10:03 AM
Hi Carl,
I'm not sure If I understand you.
You can create just a vlan. Now you have a "Layer 2 " vlan just to carry traffic through the switch. "show vlan" will show you these vlans. This VLAN has no IP.
If you want create a vlan with an IP, you need to create a vlan like in point 1 and you need to create a "interface vlan X" to assign an IP, here you can also use a subnetmask to define smaller networks.
Hope that helps you, if it is not clear, just let me know.
regards,
Sebastian
10-29-2010 10:06 AM
Hi Carl,
I am a bit confused by the IP addressing you describe. It sounds as if you have a range of registered IP addresses that you have further subnetted to assign between your external and DMZ networks but I cannot see how you can have 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34 on the external and 168.xxx.xxx.15-30 on the DMZ.
It would be helpful if you can give more details of the addressing scheme including subnet masks and confirming whether the first three octets are common (i.e. xxx.xxx has the same value on the external and DMZ networks). It would also be helpful if you can post which switch and software image you have.
Regardless of the addressing scheme you use I would urge you not to assign an IP address to any switch VLAN that is external or a DMZ. I would create a third VLAN specifically for management and assign an internal IP address to it.
Hope this helps.
10-29-2010 10:03 AM
Hi Carl,
I'm not sure If I understand you.
You can create just a vlan. Now you have a "Layer 2 " vlan just to carry traffic through the switch. "show vlan" will show you these vlans. This VLAN has no IP.
If you want create a vlan with an IP, you need to create a vlan like in point 1 and you need to create a "interface vlan X" to assign an IP, here you can also use a subnetmask to define smaller networks.
Hope that helps you, if it is not clear, just let me know.
regards,
Sebastian
10-29-2010 10:06 AM
Hi Carl,
I am a bit confused by the IP addressing you describe. It sounds as if you have a range of registered IP addresses that you have further subnetted to assign between your external and DMZ networks but I cannot see how you can have 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34 on the external and 168.xxx.xxx.15-30 on the DMZ.
It would be helpful if you can give more details of the addressing scheme including subnet masks and confirming whether the first three octets are common (i.e. xxx.xxx has the same value on the external and DMZ networks). It would also be helpful if you can post which switch and software image you have.
Regardless of the addressing scheme you use I would urge you not to assign an IP address to any switch VLAN that is external or a DMZ. I would create a third VLAN specifically for management and assign an internal IP address to it.
Hope this helps.
10-29-2010 11:09 AM
Carl
If i understand you correctly a typical setup for this is to use private RFC addressing for your DMZ (eg 192.168.x.x addressing) and then if you want the DMZ servers to be reachable from the internet you use NAT on the firewall eg. from an ASA -
static (dmz,outside) 168.x.x.x 192.168.5.10 netmask 255.255.255.255 would allow the DMZ server 192.168.5.10 to be accessed from the internet on the 168.x.x.x address.
Jon
10-29-2010 11:26 AM
Great replies and very helpful. I particularly like James' suggestion to put a third vlan on for management purposes. And yes, the first three octets are all the same. Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide