cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
0
Helpful
8
Replies

Isolated network with internet using 3560 switch

aquateencarl
Level 1
Level 1

Hello fine Cisco internets people ;)

 

I need to setup and test an Active Directory server. The only internet connection I have is through our production network. I was hoping I could use an old 3560 switch and create two vlans without any routing protocols enabled. 1 vlan will connect to production network with a valid static IP for that subnet, and make the 3560 switch act as nothing more than a host on the production network. 

Below is the config I came up with but I have not connected to our production network yet (until I can verify it will not break/cause issues).

Current configuration : 1803 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

!

no aaa new-model

system mtu routing 1500

vtp mode transparent        <-- Wanted to make sure it doesn't take over and overwrite current production vlans with its own vlans when connected.

ip subnet-zero

!

!

no file verify auto

!

spanning-tree mode pvst

spanning-tree extend system-id

no spanning-tree vlan 1-1014       <-- There will only be a single connection to this switch from the production switch. I don’t want to have any screwyness with STP

!

vlan internal allocation policy ascending

!

vlan 10

name Production Staff Network 10.100

shutdown <-- shutdown on purpose for right now

!

vlan 20

name Isolated Playground (DMZ)

shutdown <-- shutdown on purpose for right now

!

interface GigabitEthernet0/1

switchport access vlan 10

switchport mode access

spanning-tree bpdufilter enable   <-- Again avoiding any possible issues with STP and root bridge election

!

interface GigabitEthernet0/2

switchport access vlan 20

switchport mode access

!

interface Vlan1

ip address 172.16.1.1 255.255.255.0 <-- Not using

 shutdown

!

interface Vlan10

ip address 10.100.1.8 255.255.255.0     <-- This should essentially make the switch nothing more than a host on the staff network

!

interface Vlan20

ip address 10.128.5.1 255.255.255.0

!

ip default-gateway 10.100.1.1    <--do not have any routing protocols configured, but this should allow internet requests from vlan 20 while still isolating traffic between vlan 10 and vlan 20 correct?

 

Other options could be double-NAT'ing as I also have an old 2600 router. Not sure if that's better or worse than what I'm attempting above.

 

Thanks in advance for your time and help.

1 Accepted Solution

Accepted Solutions

  If you have ip routing turned off that is the expected result but how are you going to get vlan 20 to the internet if routing is turned off ? The way you currently have it you have 2 layer 2 domains with no routing enabled , no way to get traffic off those domains . 

View solution in original post

8 Replies 8

glen.grant
VIP Alumni
VIP Alumni

  The way you have it now  all traffic between vlan 10 and vlan 20 will be able to talk to each other , they are not isolated from each other  unless you plan on using acl's on the svi's to isolate .  The ip default gateway command is for managing the switch only if you turn off ip routing with the 'no ip routing" command .

So vlan 10 and 20 will automatically be able to achieve inter-vlan routing without any routing protocol enabled even though the IP's are different subnets?

I'm fine with with doing "no ip routing" if it still make my goal possible. I'm also not against creating static route as long as route advertising doesn't happen. 

[Edit]

Did a quick test:

  • no shut on both of the vlan's 
  • connected two laptops to each vlan 
  • set static ip on laptop (1) to 10.100.1.3 with gateway of 10.100.1.8
  • set static ip on laptop (2) to 10.128.5.9 with gateway of 10.128.5.1
  • disabled Windows firewall on each laptop

I could not ping to either laptop from the other - this is what I was expecting/looking for in terms of isolation. Is there something else I'm missing?

 

   Yes if you  haven't turned off ip routing any devices on that switch will be able to talk .  Routing protocols are used to learn routes from other L3 devices in your network  while if you have no routing protocols turned on those devices wouldn't be able to talk , anything attached locally to your 3560 will still be able to talk to each other . If you turn off ip routing then your goal of getting to the internet from vlan 20 will break . 

Little confused. So far I have not entered "no ip route" into the config and the two laptops are not communicating with each other. 

From what I understand this is to be expected. Traffic from one vlan in a separate ip subnet, cannot communicate with another vlan in a different ip subnet without a route; even within the same layer 3 switch correct? The route could be static or learned, but if it doesn't exist, traffic will not communicate between the two vlans correct?

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes and no.

Routers will route between connected interfaces without explicit static route statements and/or a dynamic routing protocol.  However, if you disable routing (assuming you can), a L3 switch will be just a L2 switch.

Also however, for two hosts to communicate, they need to use the router's (or L3 switch) interfaces as their gateways, which they've either been configured to do or the router (or L3 switch) is configured to proxy on its interfaces.

  If you have ip routing turned off that is the expected result but how are you going to get vlan 20 to the internet if routing is turned off ? The way you currently have it you have 2 layer 2 domains with no routing enabled , no way to get traffic off those domains . 

From what I read ip default-gateway is the next hop from the switch for unresolved hosts on switches without ip routing enabled. In this case 10.100.1.1 is the defualt gateway of the production switch I will be connecting this switch to. 

 

(10.100.1.1) Production Switch with internet <----> (G0/1) 3560 with config above (G0/2) <-->test server.

 

So my thought was, on vlan 20 the ip default-gateway will handle unresolved host requests for the internet by forwarding the request to the default gateway of the production switch. 

 

The production switch does not have a route for 10.128.5.0 /24... but will the production switch still pass internet traffic back to vlan 20 by going through ip default-gateway/vlan 10?

 

I will admit that I was never really sure if this will work because of my last sentence. I could have easily found out by hooking up the switch and giving it a go. However, I'm nervous about doing so and wanted to get advice before hand... just a double-check of config to make sure there is a very low chance of wide spread network problems on the production network.  

 

Thank you all for letting me brainfart out loud. I connected the switch to the production network briefly but got a "native vlan mismatch" error on the production switch. This makes sense. 

Somewhere in my mind I was hoping to be able to set up an isolated network with internet access using this switch connected to our production network.

I was trying to do this without NAT or Routing protocols to minimize possible negative impact to production network. Basically expecting "ip default-gateway" to perform magic - even though I knew it was unlikely. 

While I'm sure this could still be done with static routes and access lists, it's just not worth it at this point. The more I think about it, it would still be too risky for me.

The current production environment has DNS issues (not my responsibility :) and since I'm setting up a new AD server that will live in a separate network, I don't want to be remotely associated with current or future DNS issues - even if I can prove it's not me.

I'm gonna set up a laptop with a WWAN card, enable Windows ICS, and connect the ethernet port on the laptop to a layer 2 only vlan on the switch, then connect the server to the same vlan. Or use a dd-wrt router in wireless bridge mode joined to a mifi and connect the server to the router.

Simple enough and risk free, at least in regards to internal issues I'm concerned with.

 

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco