Isolating VLANS

Answered Question
Oct 11th, 2007
User Badges:

Suppose we have one router connected to an L2 switch, and pc A (in vlan5) and pc B (in vlan 10) are connected to the switch. The router has a default route to the ISP (ie for internet connectivity).


We want pc A and B to access the internet, but they should be isolated from each other. Will private vlans solve this problem?

Correct Answer by paul.matthews about 9 years 9 months ago

Without truniking, neither will work.


The way to do this will be with access lists





access-list 101 de ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 de ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 pe ip any any


int eth0.5

enc dot1q 5

ip add 192.168.5.1 255.255.255.0

ip acce 101 in


int eth0.10

enc dot1q 10

ip 192.168.10.1 255.255.255.0

ip acce 101 in


I have just done this with a single access list that will block traffic either way to keep things simple.


There are other ways it can be done, but an access list is simpler.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Francois Tallet Thu, 10/11/2007 - 21:55
User Badges:
  • Gold, 750 points or more

To put it short... no. Right now, your two pcs are isolated at layer 2. Private vlan was designed to provide the same isolation from within the same vlan (i.e. A & B would both be in vlan 5, but they still would not be able to communicate directly at L2, as if they were on the different vlans). The reason for this feature is that if you want to isolate 10 hosts by segregating in 10 different vlans, you need 10 IP subnets and you will potentially waste a large range of IP addresses that will be unused on each of them. With private vlan, you just need one subnet for all your segregated hosts.

If you want to isolate A & B at L3, in your scenario as well as with private vlan, you'll need some L3 access lists.

Regards,

Francois

hi.622823 Thu, 10/11/2007 - 23:38
User Badges:

Hi Francois,


Okay, let's forget about private vlans.


In the given scenario, let's say we have some subinterfaces on the router port connected to the switch (eg eth0.5, ip 192.168.5.1/24 and eth0.10, ip 192.168.10.1/24), but NO trunking encapsulation defined. pc A's default gateway is 192.168.5.1/24, and for pc B it's 192.168.10.1/24.


Will this solve the problem? If not, what is needed to achieve the goal for the given scenario?


Thanks.

Correct Answer
paul.matthews Thu, 10/11/2007 - 23:56
User Badges:
  • Silver, 250 points or more

Without truniking, neither will work.


The way to do this will be with access lists





access-list 101 de ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 de ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 pe ip any any


int eth0.5

enc dot1q 5

ip add 192.168.5.1 255.255.255.0

ip acce 101 in


int eth0.10

enc dot1q 10

ip 192.168.10.1 255.255.255.0

ip acce 101 in


I have just done this with a single access list that will block traffic either way to keep things simple.


There are other ways it can be done, but an access list is simpler.

hi.622823 Fri, 10/12/2007 - 00:31
User Badges:

Paul,


Thanks for your response. I see that the above configuration will solve the problem in my post.


Just as a follow up, it seems to me that access-lists are not a scalable solution. If you agree, could you perhaps suggest an alternate methodology?

paul.matthews Fri, 10/12/2007 - 00:44
User Badges:
  • Silver, 250 points or more

It depends on how far you want to go. Access lists would be awkward if you were trying to protect hundreds of VLANS, but they could be made simpler with careful address scheme design - if this router had 100 VLANs all using RFC1918 addressing, and you wanted to prevent any VLAN talking to another, but allow them all out to talk to real internet addresses, an access list that blocks RFC1918 to RFC1918 addressing would be a simple access list applied inbound on all local interfaces.


VRF may be a more scaleable soultion, but it would have to be planned from the start. Ypu would also need to make sure all the support staff understood VRF. Anyone working on live Cisco kit should understand ACLs, so when someone has a problem 3am Sunday morning it can be sorted by the staff on shift. Do something ike VRF without training the staff and guess who's getting a 3am call!

Francois Tallet Fri, 10/12/2007 - 08:35
User Badges:
  • Gold, 750 points or more

The scalability will depend on how many such subnets you can summarize in a single access list. That might be where private vlan could help;-) With private vlans, you don't need many subnets. In fact, you could have all your hosts on a single subnet, in a single private vlan and thus use a single access list.

Regards,

Francois

hi.622823 Sat, 10/13/2007 - 01:03
User Badges:

Okay, let's re-work the scenario for private vlans. So would pc A and B be in a secondary vlan, and the switchport connected to the router a promiscious vlan?

Actions

This Discussion