Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Catalyst 4507R VLANs

Got a question I should know the answer to. I have a 4507R with dual Sup II Plus. I have 5 layer 3 VLANs created. I have a business partner that has VPN access to our LAN. I need to give him access to a server, however, I do not want this server to be able to communicate with the rest of our LAN. My thought was to create a layer2 VLAN on the 4507R but I am not sure if layer 2 and layer 3 VLANs can coexist. Or am I better of creating another VLAN putting the server in the new VLAN and then using ACLs to restrict access.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Catalyst 4507R VLANs

Hi Jim

I might be misunderstanding due to your terminology but i'm a little unclear what you mean by layer 3 vlans as opposed to layer 2 vlans.

Vlans work at layer 2. If you have 5 layer 3 vlans on your 4507R then you are probably talking about the SVI's that have ip addresses assigned to them. But you will still have to have these vlans created at layer 2 on the 4507R.

So if you want a layer 2 vlan on your switch i understand that to means you do not want to create a layer 3 interface for it. That's fine and it will work but if you do this some other device will have to do the routing for that vlan. Your options are

1) Create new vlan and give it an SVI interface. Readdress server and use acl's on SVI.

2) Use a vlan access-list which will allow you to permit or deny traffic to and from the server at the layer 2 level ie. the server can be in the same subnet as other servers but you can still use a vlan access-list. You wouldn't need to readdress the server.

3) Look at private vlans which will allow you to segregate the server within the same vlan.

If the server is purely accessed by teh 3rd party and you don't want the server talking to anything else within your LAN i would think about option 1 as you are in effect creating a poor man's DMZ.

HTH

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Catalyst 4507R VLANs

Hi Jim

I might be misunderstanding due to your terminology but i'm a little unclear what you mean by layer 3 vlans as opposed to layer 2 vlans.

Vlans work at layer 2. If you have 5 layer 3 vlans on your 4507R then you are probably talking about the SVI's that have ip addresses assigned to them. But you will still have to have these vlans created at layer 2 on the 4507R.

So if you want a layer 2 vlan on your switch i understand that to means you do not want to create a layer 3 interface for it. That's fine and it will work but if you do this some other device will have to do the routing for that vlan. Your options are

1) Create new vlan and give it an SVI interface. Readdress server and use acl's on SVI.

2) Use a vlan access-list which will allow you to permit or deny traffic to and from the server at the layer 2 level ie. the server can be in the same subnet as other servers but you can still use a vlan access-list. You wouldn't need to readdress the server.

3) Look at private vlans which will allow you to segregate the server within the same vlan.

If the server is purely accessed by teh 3rd party and you don't want the server talking to anything else within your LAN i would think about option 1 as you are in effect creating a poor man's DMZ.

HTH

Jon

New Member

Re: Catalyst 4507R VLANs

Jon, thanks for the reply it did answer my question. Yes, I should have made my post much clearer and used proper teminology. I am using SVI's that have ip addresses assigned to them.

Option 1 is what I was thinking of doing. Thanks again for your help.

Jim

147
Views
0
Helpful
2
Replies
CreatePlease login to create content