Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
0
Helpful
4
Replies

pvlan question

mchockalingam
Level 1
Level 1

‎11-07-2006 05:53 AM - last edited on ‎03-25-2019 03:52 PM by Community Manager

Hi All,

I am trying to implement pvlans in our network and here is the simple description what I want to accoplish

I have a subnet 10.24.224.0/21 allocated for a DMZ subnet.

I configured the firewall interface as the promiscuous port.

I have 2 types of remote users (one using VPN and the other using Citrix) and I assigned a community vlan.

I also have some web servers, FTP servers and DNS servers. I want to assign these ports as isolated ports.

I have little confusion about isolated ports. When I assign the DNS server port as an isolated port, will it affect any queries directed towards it? I want external users and internal users to do a nslookup against this DNS server. In this case, do I need to configure this port as isolated or promiscuous?

Any help would be appreciated.

Labels:
0 Helpful
4 Replies 4

a-vazquez
Level 6
Level 6

‎11-13-2006 07:13 AM

Better Option would be to configure as promiscuous port.An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Refer URL

http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎11-14-2006 02:31 AM

If the external and internal users are on different vlans from the DNS server vlan then you could configure the DNS server port as isolated and they will still be able to do DNS lookups. Promiscuous/community/isolated ports are only relevant to that specific vlan.

However if there are other servers on the same vlan as the DNS server that need to do DNS lookups then you cannot use an isolated port as they will be unable to talk to the DNS server. In this instance if you know which servers need to talk to the DNS server you could use community ports.

if you are not sure then do as previous poster suggested and use promiscuous - most things need DNS services.

0 Helpful

mchockalingam
Level 1
Level 1
In response to Jon Marshall

‎11-14-2006 05:16 AM

Hi All,

Thanks for the replies. After reading the replies and also with limited lab environment testing, I have a better understanding now. Only thing I forgot to check is more than one port can be a promiscuous port. Correct?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mchockalingam

‎11-14-2006 07:35 AM

Yes you can have multiple promiscuous ports.

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card