01-03-2008 03:41 AM - edited 03-05-2019 08:15 PM
Hi All,
Happy new Year to everyone!
I need to isolate a VLAN on our switch so that it cannot connect at either L2 or L3 to any other of the VLANs.
Heres a brief overview on what we have...
VLAN10 - 192.168.1.0 /24
VLAN20 - 192.168.2.0 /24
VLAN30 - 192.168.3.0 /24
VLAN40 - 10.30.25.0 /24
Allowing VLAN 10, 20 and 30 to communicate with each other is not a problem. However I need to isolate VLAN40 so it can only communicate with hosts on that network.
I had read something about VLAN tagging, but cant seem to get it!
Any advise would be appreciated.
01-03-2008 03:51 AM
Hi Steven
The simplest thing to do is to make sure there is no layer 3 interface for vlan 40 ie. the vlan exists at layer 2 on your switch(es) but there is no
int vlan 40
ip address 192.168.5.1 255.255.255.0
without a L3 interface for the vlan any machine in that vlan can only talk to other machines in the same vlan.
Jon
01-03-2008 03:53 AM
hi,
If all the users of the vlan 40 are on the same switch and the switch is L2 then dont allow that vlan on the trunk.Also prune it in the VTP advertisements.
01-03-2008 04:10 AM
Thanks! I'm going to try this now.
01-03-2008 03:55 AM
to add to above, at L3 level u can use VACL for the same
access-list 100 permit ip 10.30.25.0 255.255.255.0 10.30.25.0 255.255.255.0
vlan access-map test
match ip address 100
action forward
vlan filter test vlan-list 40
01-03-2008 04:09 AM
I agree with Jon that not creating a SVI would be the best and simplest solution but there are other ways like creating IP ACLS, VRF lite etc.
The choice should be based on how to want to configure the VLAN, i.e whether completely isolated (no access to anything else) or restriction just between the vlans with access to outside world etc..
Narayan
Narayan
01-04-2008 02:25 AM
I took S.Arunkumar's advise as I need to give this VLAN some external access.
and added the following...
ip access-list extended ISOLATE_VLAN
permit ip 10.30.25.0 0.0.0.255 10.30.25.0 0.0.0.255
permit tcp 10.30.25.0 0.0.0.255 eq www
vlan access-map WIRELESS 10
action forward
match ip address ISOLATE_VLAN
vlan filter WIRELESS vlan-list 40
However, although none of the other VLANs have access to this network, I am unable to telnet out on port 80 as required.....
...Thanks everyone
vlan access-map test
match ip address 10 0
action forward
vlan filter test vlan-list 40
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: