Home / server / Questions / 758936
In Process
Becky
Asked: 2016-02-23 05:58:46 +0800 CST

Configuring a private vlan for a test lab, but still access the internet

  • 772

I have been looking around and trying to find ideas on how to isolate a test lab from our main network whilst still allowing the test lab access out to the internet.

At the moment, our main network is on a 10.11.23.x subnet. To this we have added a Cisco Catalyst WS2960 on 10.11.23.245. I have created vlan23 on this switch, 10.11.23.245 and vlan192, 192.168.0.252.

Physically plugged into vlan23 of this switch is eth0 of a a HP desktop server running CentOS. Plugged into vlan192 of the switch is eth1 of the same HP machine.

So the switch config shows:

interface Vlan23
 ip address 10.11.23.245 255.255.255.0
!
interface Vlan192
 ip address 192.168.0.252 255.255.255.0

And the CentOS box shows:

eth0      Link encap:Ethernet  HWaddr A0:48:1C:D6:8D:78  
          inet addr:10.11.23.212  Bcast:10.11.23.255  Mask:255.255.255.0
          inet6 addr: fe80::a248:1cff:fed6:8d78/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4463062082 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4058451942 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1677558138503 (1.5 TiB)  TX bytes:1109258225607 (1.0 TiB)
          Interrupt:17 

eth1      Link encap:Ethernet  HWaddr A0:48:1C:D6:8D:79  
          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a248:1cff:fed6:8d79/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2983685 errors:1 dropped:0 overruns:0 frame:2
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:231387664 (220.6 MiB)  TX bytes:522 (522.0 b)
          Interrupt:18

From the CentOS box I can ping anything on vlan23 but nothing on the private test LAN, vlan192. Same goes for the switch, it can't even ping eth1 on the CentOS box which is physically plugged into one of its own ports.

We want vlan192 to remain invisible from vlan23 as we are setting up a test domain controller and want to be sure that its not interfering in any way however, the gateway out to the internet is 10.11.23.254. Can this be done?

Thanks in advance for any suggestions.

vlan

1 Answers

  1. If you've got a firewall between the test VLAN and the main gateway, try making a rule that allows access to "not 192.168.0.0/16, 172.16.0.0/16, 10.0.0.0/8". This should amount to " allow access to everything not on a private network", which is the internet. I'm no expert but I've got a VLAN of isolated servers at home set up with a rule like this and it can access the internet and its own VLAN, but nothing else.

    • 0