Implementing test network


Just wondered what people thought about the idea of a test network being used in a company.

We have such a beast, however, I am just wanting to clarify some things which I am not 100% comfortable with, and just wanted to know am I being very old fashioned, or is there some basis to it?

We currently have a core switch with several Vlans on it for internal purposes. The people who configured this put an extra Vlan for the test network, currently all traffic can pass through, but it will be locked down using ACLs on the core switch. The reason for this apparently is so we can use the Vlan capabilities on the internal switch to assign ports to the test network.

Is this really a separate network from the "live" environment, could there be any problems?

The other thing is, we have a small ADSL connection to simulate WAN access, however, for some reason, we have had a few of our existing public IP addresses (on the live system) set aside for the test network, going through our existing Pix through to the test network. The reason for this is that the ADSL connection will act as a loop through so we can do external tests. I have tested this and it works, but I was thinking we would be able to use a set of public IP addresses (or even just one address on the DSL interface), and use them/it as our external address if required?

I realise I have only scratched the surface, but I just wondered what sort of problems we may come into with this type of setup (if of course there are any)?

Thanks. Andrew.

Reply to
Andrew Hodgson
Loading thread data ...

Good questions. You should not have a test network on your production switches. Test networks are vulnerable to experimentation - and a bad experiment with say multicast or broadcasting or turning off spanning tree or...could bring down the production VLANs. Get the test network off there!

I don't understand what you mean by using ADSL to simulate WAN access. WAN generally refers to connecting multiple sites together. But you go on to describe wanting to test your Internet facing services and how the production pix leads you to the test network. While I don't entirely follow - my gut reaction is - get the production Pix off the test network and use another device to protect egress to the Internet. Likely you are wanting to test your production apps from the perspective of someone outside. IOS firewall should be fine for this purpose or use another pix.


Andrew Hodgs> Hi,

Reply to

Right. In the past we've done the same thing: used a seperate link to test our connectivity and security. The seperate link was from a different ISP in a different IP range, so while we were at our desks we could be testing how our equipment interacted with "outside" packets.

When we did this, our seperate link had a different demarc. We plugged it in to a layer 2 switch, on a different VLAN, and trunked that VLAN around through more layer 2 switches to reach our testbed PIX.

This differs from what you are suggesting in that we did not have a *complete* seperation of test and production network. Any packets that weren't addressed to the distinct address range weren't going to make it through the ISP to our secondary demarc, and the layer 2 switches were not -themselves- going to act upon packets not addressed to them and not in their management VLAN. We considered the risk of someone managing to inject a successful VLAN hopping attack between the ISP and our demarc to be negligable, particularily as the link was encrypted.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.