×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

pvlan question

Unanswered Question
Nov 7th, 2006
User Badges:

Hi All,


I am trying to implement pvlans in our network and here is the simple description what I want to accoplish


I have a subnet 10.24.224.0/21 allocated for a DMZ subnet.

I configured the firewall interface as the promiscuous port.

I have 2 types of remote users (one using VPN and the other using Citrix) and I assigned a community vlan.

I also have some web servers, FTP servers and DNS servers. I want to assign these ports as isolated ports.


I have little confusion about isolated ports. When I assign the DNS server port as an isolated port, will it affect any queries directed towards it? I want external users and internal users to do a nslookup against this DNS server. In this case, do I need to configure this port as isolated or promiscuous?


Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a-vazquez Mon, 11/13/2006 - 07:13
User Badges:
  • Silver, 250 points or more

Better Option would be to configure as promiscuous port.An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Refer URL

http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html


Jon Marshall Tue, 11/14/2006 - 02:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If the external and internal users are on different vlans from the DNS server vlan then you could configure the DNS server port as isolated and they will still be able to do DNS lookups. Promiscuous/community/isolated ports are only relevant to that specific vlan.

However if there are other servers on the same vlan as the DNS server that need to do DNS lookups then you cannot use an isolated port as they will be unable to talk to the DNS server. In this instance if you know which servers need to talk to the DNS server you could use community ports.


if you are not sure then do as previous poster suggested and use promiscuous - most things need DNS services.


mchockalingam Tue, 11/14/2006 - 05:16
User Badges:

Hi All,


Thanks for the replies. After reading the replies and also with limited lab environment testing, I have a better understanding now. Only thing I forgot to check is more than one port can be a promiscuous port. Correct?

Jon Marshall Tue, 11/14/2006 - 07:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes you can have multiple promiscuous ports.


HTH

Actions

This Discussion