cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10217
Views
0
Helpful
4
Replies

VLan without IP address

cgcarpenter
Level 1
Level 1

I would like to create
two vlans on one switch, one without an IP address.  Here's why:

One vlan would be outside of my firewall.  It would have the Internet connection, connection to the firewall, and the outside card of my video bridge.  The IP addresses connected to that switch would be 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34.  The other vlan is for the DMZ for my firewall.  The IP addresses in there are in the 168.xxx.xxx.15-30 range.  I would like to assign an IP address to one VLAN for management purposes, but I don't see how I can assign one to the second VLAN because of overlapping IP addresses.  Right now these connections are on different switches.  Can I do this?

Carl Carpenter
Acting Director, Information Services
Hill Country Community MHMR Center
(830)258-5414

2 Accepted Solutions

Accepted Solutions

Hi Carl,

I'm not sure If I understand you.

You can create just a vlan. Now you have a "Layer 2 " vlan just to carry traffic through the switch. "show vlan" will show you these vlans. This VLAN has no IP.

If you want create a vlan with an IP, you need to create a vlan like in point 1 and you need to create a "interface vlan X" to assign an IP, here you can also use a subnetmask to define smaller networks.

Hope that helps you, if it is not clear, just let me know.

regards,
Sebastian

View solution in original post

James Hawkins
Level 8
Level 8

Hi Carl,

I am a bit confused by the IP addressing you describe. It sounds as if you have a range of registered IP addresses that you have further subnetted to assign between your external and DMZ networks but I cannot see how you can have 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34 on the external and 168.xxx.xxx.15-30 on the DMZ.

It would be helpful if you can give more details of the addressing scheme including subnet masks and confirming whether the first three octets are common (i.e. xxx.xxx has the same value on the external and DMZ networks). It would also be helpful if you can post which switch and software image you have.

Regardless of the addressing scheme you use I would urge you not to assign an IP address to any switch VLAN that is external or a DMZ. I would create a third VLAN specifically for management and assign an internal IP address to it.

Hope this helps.

View solution in original post

4 Replies 4

Hi Carl,

I'm not sure If I understand you.

You can create just a vlan. Now you have a "Layer 2 " vlan just to carry traffic through the switch. "show vlan" will show you these vlans. This VLAN has no IP.

If you want create a vlan with an IP, you need to create a vlan like in point 1 and you need to create a "interface vlan X" to assign an IP, here you can also use a subnetmask to define smaller networks.

Hope that helps you, if it is not clear, just let me know.

regards,
Sebastian

James Hawkins
Level 8
Level 8

Hi Carl,

I am a bit confused by the IP addressing you describe. It sounds as if you have a range of registered IP addresses that you have further subnetted to assign between your external and DMZ networks but I cannot see how you can have 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34 on the external and 168.xxx.xxx.15-30 on the DMZ.

It would be helpful if you can give more details of the addressing scheme including subnet masks and confirming whether the first three octets are common (i.e. xxx.xxx has the same value on the external and DMZ networks). It would also be helpful if you can post which switch and software image you have.

Regardless of the addressing scheme you use I would urge you not to assign an IP address to any switch VLAN that is external or a DMZ. I would create a third VLAN specifically for management and assign an internal IP address to it.

Hope this helps.

Jon Marshall
Hall of Fame
Hall of Fame

Carl

If i understand you correctly a typical setup for this is to use private RFC addressing for your DMZ (eg 192.168.x.x addressing) and then if you want the DMZ servers to be reachable from the internet you use NAT on the firewall eg. from an ASA -

static (dmz,outside) 168.x.x.x 192.168.5.10 netmask 255.255.255.255 would allow the DMZ server 192.168.5.10 to be accessed from the internet on the 168.x.x.x address.

Jon

Great replies and very helpful.  I particularly like James' suggestion to put a third vlan on for management purposes.  And yes, the first three octets are all the same.  Thanks for the help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: