Isolate single VLAN

meiser1985 · ‎10-17-2013

I inherited a C4510R+E switch with about 15 VLANs which can all talk to each other just fine. I have been tasked with isolated 1 of the VLANs from all of the others and putting a firewall (ASA5510) in between the other VLANs and the isolated one. I would like to keep the VLAN ID everything else the same for a quick switch over. What would be the best way to acomplish this?

rfalconer.sffcu · ‎10-17-2013

If you are just trying to filter the specific traffic that goes in and out of that vlan, just set up a L3 inteface on the 4500, connect one of the asa interfaces to that L3 port and use a static route to send the destination IP space of that vlan to the ASA.

The other interface of the asa will go to the isolated vlan on the 4500. The IP address of this interface will be the existing svi on the 4500 so the client gateway won't have to change. Remove the svi for that vlan from the 4500.

meiser1985 · ‎11-24-2013

Thanks that worked. I noticed inter vlan routing is enabled on the switch. Will this cause any issues with security?

Jon Marshall · ‎11-25-2013

If you do not have a L3 SVI for the isolated vlan on the 4500 then the isolated vlan will not be able to use the 4500 to route to other vlans ie. it will have to go via the ASA and you can control it from there.

Jon

rfalconer.sffcu · ‎11-25-2013

Will it cause a security issue with having the other 14 vlans able to communicate? That's up to your policy and if you want the different vlans to talk to each other.

If you don't want them communicating or want the traffic controlled, either set up vlan ACLs or move the L3 interfaces to an ASA subinterface and control traffic between the vlans from there. Keep in mind there are limits on the number of subinterfaces a 5510 can have.