11-07-2006 05:53 AM - last edited on 03-25-2019 03:52 PM by ciscomoderator
Hi All,
I am trying to implement pvlans in our network and here is the simple description what I want to accoplish
I have a subnet 10.24.224.0/21 allocated for a DMZ subnet.
I configured the firewall interface as the promiscuous port.
I have 2 types of remote users (one using VPN and the other using Citrix) and I assigned a community vlan.
I also have some web servers, FTP servers and DNS servers. I want to assign these ports as isolated ports.
I have little confusion about isolated ports. When I assign the DNS server port as an isolated port, will it affect any queries directed towards it? I want external users and internal users to do a nslookup against this DNS server. In this case, do I need to configure this port as isolated or promiscuous?
Any help would be appreciated.
11-13-2006 07:13 AM
Better Option would be to configure as promiscuous port.An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Refer URL
http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html
11-14-2006 02:31 AM
If the external and internal users are on different vlans from the DNS server vlan then you could configure the DNS server port as isolated and they will still be able to do DNS lookups. Promiscuous/community/isolated ports are only relevant to that specific vlan.
However if there are other servers on the same vlan as the DNS server that need to do DNS lookups then you cannot use an isolated port as they will be unable to talk to the DNS server. In this instance if you know which servers need to talk to the DNS server you could use community ports.
if you are not sure then do as previous poster suggested and use promiscuous - most things need DNS services.
11-14-2006 05:16 AM
Hi All,
Thanks for the replies. After reading the replies and also with limited lab environment testing, I have a better understanding now. Only thing I forgot to check is more than one port can be a promiscuous port. Correct?
11-14-2006 07:35 AM
Yes you can have multiple promiscuous ports.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide