Isolating a VLAN

Unanswered Question

Hi All,

Happy new Year to everyone!

I need to isolate a VLAN on our switch so that it cannot connect at either L2 or L3 to any other of the VLANs.

Heres a brief overview on what we have...

VLAN10 - 192.168.1.0 /24

VLAN20 - 192.168.2.0 /24

VLAN30 - 192.168.3.0 /24

VLAN40 - 10.30.25.0 /24

Allowing VLAN 10, 20 and 30 to communicate with each other is not a problem. However I need to isolate VLAN40 so it can only communicate with hosts on that network.

I had read something about VLAN tagging, but cant seem to get it!

Any advise would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 01/03/2008 - 03:51

Hi Steven

The simplest thing to do is to make sure there is no layer 3 interface for vlan 40 ie. the vlan exists at layer 2 on your switch(es) but there is no

int vlan 40

ip address 192.168.5.1 255.255.255.0

without a L3 interface for the vlan any machine in that vlan can only talk to other machines in the same vlan.

Jon

shrikar.dange Thu, 01/03/2008 - 03:53

hi,

If all the users of the vlan 40 are on the same switch and the switch is L2 then dont allow that vlan on the trunk.Also prune it in the VTP advertisements.

s.arunkumar Thu, 01/03/2008 - 03:55

to add to above, at L3 level u can use VACL for the same

access-list 100 permit ip 10.30.25.0 255.255.255.0 10.30.25.0 255.255.255.0

vlan access-map test

match ip address 100

action forward

vlan filter test vlan-list 40

royalblues Thu, 01/03/2008 - 04:09

I agree with Jon that not creating a SVI would be the best and simplest solution but there are other ways like creating IP ACLS, VRF lite etc.

The choice should be based on how to want to configure the VLAN, i.e whether completely isolated (no access to anything else) or restriction just between the vlans with access to outside world etc..

Narayan

Narayan

I took S.Arunkumar's advise as I need to give this VLAN some external access.

and added the following...

ip access-list extended ISOLATE_VLAN

permit ip 10.30.25.0 0.0.0.255 10.30.25.0 0.0.0.255

permit tcp 10.30.25.0 0.0.0.255 eq www

vlan access-map WIRELESS 10

action forward

match ip address ISOLATE_VLAN

vlan filter WIRELESS vlan-list 40

However, although none of the other VLANs have access to this network, I am unable to telnet out on port 80 as required.....

...Thanks everyone

vlan access-map test

match ip address 10 0

action forward

vlan filter test vlan-list 40

Actions

This Discussion