Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLan without IP address

I would like to create
two vlans on one switch, one without an IP address.  Here's why:

One vlan would be outside of my firewall.  It would have the Internet connection, connection to the firewall, and the outside card of my video bridge.  The IP addresses connected to that switch would be 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34.  The other vlan is for the DMZ for my firewall.  The IP addresses in there are in the 168.xxx.xxx.15-30 range.  I would like to assign an IP address to one VLAN for management purposes, but I don't see how I can assign one to the second VLAN because of overlapping IP addresses.  Right now these connections are on different switches.  Can I do this?

Carl Carpenter
Acting Director, Information Services
Hill Country Community MHMR Center
(830)258-5414

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: VLan without IP address

Hi Carl,

I'm not sure If I understand you.

You can create just a vlan. Now you have a "Layer 2 " vlan just to carry traffic through the switch. "show vlan" will show you these vlans. This VLAN has no IP.

If you want create a vlan with an IP, you need to create a vlan like in point 1 and you need to create a "interface vlan X" to assign an IP, here you can also use a subnetmask to define smaller networks.

Hope that helps you, if it is not clear, just let me know.

regards,
Sebastian

Re: VLan without IP address

Hi Carl,

I am a bit confused by the IP addressing you describe. It sounds as if you have a range of registered IP addresses that you have further subnetted to assign between your external and DMZ networks but I cannot see how you can have 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34 on the external and 168.xxx.xxx.15-30 on the DMZ.

It would be helpful if you can give more details of the addressing scheme including subnet masks and confirming whether the first three octets are common (i.e. xxx.xxx has the same value on the external and DMZ networks). It would also be helpful if you can post which switch and software image you have.

Regardless of the addressing scheme you use I would urge you not to assign an IP address to any switch VLAN that is external or a DMZ. I would create a third VLAN specifically for management and assign an internal IP address to it.

Hope this helps.

4 REPLIES

Re: VLan without IP address

Hi Carl,

I'm not sure If I understand you.

You can create just a vlan. Now you have a "Layer 2 " vlan just to carry traffic through the switch. "show vlan" will show you these vlans. This VLAN has no IP.

If you want create a vlan with an IP, you need to create a vlan like in point 1 and you need to create a "interface vlan X" to assign an IP, here you can also use a subnetmask to define smaller networks.

Hope that helps you, if it is not clear, just let me know.

regards,
Sebastian

Re: VLan without IP address

Hi Carl,

I am a bit confused by the IP addressing you describe. It sounds as if you have a range of registered IP addresses that you have further subnetted to assign between your external and DMZ networks but I cannot see how you can have 168.xxx.xxx.1, 168.xxx.xxx.3 and 168.xxx.xxx.34 on the external and 168.xxx.xxx.15-30 on the DMZ.

It would be helpful if you can give more details of the addressing scheme including subnet masks and confirming whether the first three octets are common (i.e. xxx.xxx has the same value on the external and DMZ networks). It would also be helpful if you can post which switch and software image you have.

Regardless of the addressing scheme you use I would urge you not to assign an IP address to any switch VLAN that is external or a DMZ. I would create a third VLAN specifically for management and assign an internal IP address to it.

Hope this helps.

Hall of Fame Super Blue

Re: VLan without IP address

Carl

If i understand you correctly a typical setup for this is to use private RFC addressing for your DMZ (eg 192.168.x.x addressing) and then if you want the DMZ servers to be reachable from the internet you use NAT on the firewall eg. from an ASA -

static (dmz,outside) 168.x.x.x 192.168.5.10 netmask 255.255.255.255 would allow the DMZ server 192.168.5.10 to be accessed from the internet on the 168.x.x.x address.

Jon

New Member

Re: VLan without IP address

Great replies and very helpful.  I particularly like James' suggestion to put a third vlan on for management purposes.  And yes, the first three octets are all the same.  Thanks for the help.

4439
Views
0
Helpful
4
Replies