cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1666
Views
0
Helpful
6
Replies

Isolating a VLAN

steven.wright
Level 1
Level 1

Hi All,

Happy new Year to everyone!

I need to isolate a VLAN on our switch so that it cannot connect at either L2 or L3 to any other of the VLANs.

Heres a brief overview on what we have...

VLAN10 - 192.168.1.0 /24

VLAN20 - 192.168.2.0 /24

VLAN30 - 192.168.3.0 /24

VLAN40 - 10.30.25.0 /24

Allowing VLAN 10, 20 and 30 to communicate with each other is not a problem. However I need to isolate VLAN40 so it can only communicate with hosts on that network.

I had read something about VLAN tagging, but cant seem to get it!

Any advise would be appreciated.

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Hi Steven

The simplest thing to do is to make sure there is no layer 3 interface for vlan 40 ie. the vlan exists at layer 2 on your switch(es) but there is no

int vlan 40

ip address 192.168.5.1 255.255.255.0

without a L3 interface for the vlan any machine in that vlan can only talk to other machines in the same vlan.

Jon

shrikar.dange
Level 1
Level 1

hi,

If all the users of the vlan 40 are on the same switch and the switch is L2 then dont allow that vlan on the trunk.Also prune it in the VTP advertisements.

Thanks! I'm going to try this now.

s.arunkumar
Level 3
Level 3

to add to above, at L3 level u can use VACL for the same

access-list 100 permit ip 10.30.25.0 255.255.255.0 10.30.25.0 255.255.255.0

vlan access-map test

match ip address 100

action forward

vlan filter test vlan-list 40

I agree with Jon that not creating a SVI would be the best and simplest solution but there are other ways like creating IP ACLS, VRF lite etc.

The choice should be based on how to want to configure the VLAN, i.e whether completely isolated (no access to anything else) or restriction just between the vlans with access to outside world etc..

Narayan

Narayan

I took S.Arunkumar's advise as I need to give this VLAN some external access.

and added the following...

ip access-list extended ISOLATE_VLAN

permit ip 10.30.25.0 0.0.0.255 10.30.25.0 0.0.0.255

permit tcp 10.30.25.0 0.0.0.255 eq www

vlan access-map WIRELESS 10

action forward

match ip address ISOLATE_VLAN

vlan filter WIRELESS vlan-list 40

However, although none of the other VLANs have access to this network, I am unable to telnet out on port 80 as required.....

...Thanks everyone

vlan access-map test

match ip address 10 0

action forward

vlan filter test vlan-list 40

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco