Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Isolating VLANS

Suppose we have one router connected to an L2 switch, and pc A (in vlan5) and pc B (in vlan 10) are connected to the switch. The router has a default route to the ISP (ie for internet connectivity).

We want pc A and B to access the internet, but they should be isolated from each other. Will private vlans solve this problem?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Isolating VLANS

Without truniking, neither will work.

The way to do this will be with access lists

access-list 101 de ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 de ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 pe ip any any

int eth0.5

enc dot1q 5

ip add 192.168.5.1 255.255.255.0

ip acce 101 in

int eth0.10

enc dot1q 10

ip 192.168.10.1 255.255.255.0

ip acce 101 in

I have just done this with a single access list that will block traffic either way to keep things simple.

There are other ways it can be done, but an access list is simpler.

9 REPLIES

Re: Isolating VLANS

To put it short... no. Right now, your two pcs are isolated at layer 2. Private vlan was designed to provide the same isolation from within the same vlan (i.e. A & B would both be in vlan 5, but they still would not be able to communicate directly at L2, as if they were on the different vlans). The reason for this feature is that if you want to isolate 10 hosts by segregating in 10 different vlans, you need 10 IP subnets and you will potentially waste a large range of IP addresses that will be unused on each of them. With private vlan, you just need one subnet for all your segregated hosts.

If you want to isolate A & B at L3, in your scenario as well as with private vlan, you'll need some L3 access lists.

Regards,

Francois

New Member

Re: Isolating VLANS

Hi Francois,

Okay, let's forget about private vlans.

In the given scenario, let's say we have some subinterfaces on the router port connected to the switch (eg eth0.5, ip 192.168.5.1/24 and eth0.10, ip 192.168.10.1/24), but NO trunking encapsulation defined. pc A's default gateway is 192.168.5.1/24, and for pc B it's 192.168.10.1/24.

Will this solve the problem? If not, what is needed to achieve the goal for the given scenario?

Thanks.

Re: Isolating VLANS

Without truniking, neither will work.

The way to do this will be with access lists

access-list 101 de ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 de ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 pe ip any any

int eth0.5

enc dot1q 5

ip add 192.168.5.1 255.255.255.0

ip acce 101 in

int eth0.10

enc dot1q 10

ip 192.168.10.1 255.255.255.0

ip acce 101 in

I have just done this with a single access list that will block traffic either way to keep things simple.

There are other ways it can be done, but an access list is simpler.

New Member

Re: Isolating VLANS

Paul,

Thanks for your response. I see that the above configuration will solve the problem in my post.

Just as a follow up, it seems to me that access-lists are not a scalable solution. If you agree, could you perhaps suggest an alternate methodology?

Re: Isolating VLANS

It depends on how far you want to go. Access lists would be awkward if you were trying to protect hundreds of VLANS, but they could be made simpler with careful address scheme design - if this router had 100 VLANs all using RFC1918 addressing, and you wanted to prevent any VLAN talking to another, but allow them all out to talk to real internet addresses, an access list that blocks RFC1918 to RFC1918 addressing would be a simple access list applied inbound on all local interfaces.

VRF may be a more scaleable soultion, but it would have to be planned from the start. Ypu would also need to make sure all the support staff understood VRF. Anyone working on live Cisco kit should understand ACLs, so when someone has a problem 3am Sunday morning it can be sorted by the staff on shift. Do something ike VRF without training the staff and guess who's getting a 3am call!

Re: Isolating VLANS

The scalability will depend on how many such subnets you can summarize in a single access list. That might be where private vlan could help;-) With private vlans, you don't need many subnets. In fact, you could have all your hosts on a single subnet, in a single private vlan and thus use a single access list.

Regards,

Francois

New Member

Re: Isolating VLANS

Okay, let's re-work the scenario for private vlans. So would pc A and B be in a secondary vlan, and the switchport connected to the router a promiscious vlan?

New Member

Re: Isolating VLANS

For the PVLAN,The switchport connected to the router is Trunk. pcA and pcB is in isolated mode.

New Member

Re: Isolating VLANS

Thanks everyone for your replies.

469
Views
4
Helpful
9
Replies
CreatePlease to create content