Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Isolating a VLAN

Hi All,

Happy new Year to everyone!

I need to isolate a VLAN on our switch so that it cannot connect at either L2 or L3 to any other of the VLANs.

Heres a brief overview on what we have...

VLAN10 - 192.168.1.0 /24

VLAN20 - 192.168.2.0 /24

VLAN30 - 192.168.3.0 /24

VLAN40 - 10.30.25.0 /24

Allowing VLAN 10, 20 and 30 to communicate with each other is not a problem. However I need to isolate VLAN40 so it can only communicate with hosts on that network.

I had read something about VLAN tagging, but cant seem to get it!

Any advise would be appreciated.

6 REPLIES
Hall of Fame Super Blue

Re: Isolating a VLAN

Hi Steven

The simplest thing to do is to make sure there is no layer 3 interface for vlan 40 ie. the vlan exists at layer 2 on your switch(es) but there is no

int vlan 40

ip address 192.168.5.1 255.255.255.0

without a L3 interface for the vlan any machine in that vlan can only talk to other machines in the same vlan.

Jon

Re: Isolating a VLAN

hi,

If all the users of the vlan 40 are on the same switch and the switch is L2 then dont allow that vlan on the trunk.Also prune it in the VTP advertisements.

New Member

Re: Isolating a VLAN

Thanks! I'm going to try this now.

Bronze

Re: Isolating a VLAN

to add to above, at L3 level u can use VACL for the same

access-list 100 permit ip 10.30.25.0 255.255.255.0 10.30.25.0 255.255.255.0

vlan access-map test

match ip address 100

action forward

vlan filter test vlan-list 40

Re: Isolating a VLAN

I agree with Jon that not creating a SVI would be the best and simplest solution but there are other ways like creating IP ACLS, VRF lite etc.

The choice should be based on how to want to configure the VLAN, i.e whether completely isolated (no access to anything else) or restriction just between the vlans with access to outside world etc..

Narayan

Narayan

New Member

Re: Isolating a VLAN

I took S.Arunkumar's advise as I need to give this VLAN some external access.

and added the following...

ip access-list extended ISOLATE_VLAN

permit ip 10.30.25.0 0.0.0.255 10.30.25.0 0.0.0.255

permit tcp 10.30.25.0 0.0.0.255 eq www

vlan access-map WIRELESS 10

action forward

match ip address ISOLATE_VLAN

vlan filter WIRELESS vlan-list 40

However, although none of the other VLANs have access to this network, I am unable to telnet out on port 80 as required.....

...Thanks everyone

vlan access-map test

match ip address 10 0

action forward

vlan filter test vlan-list 40

675
Views
0
Helpful
6
Replies
CreatePlease to create content