topic Re: Setting up private vlan with our current setup in Switching

Setting up private vlan with our current setup

Talha — Thu, 18 Mar 2021 19:03:03 GMT

Hi,
we are managing multiple office which ask for Public IPs (if required by them). we have pool of multiple public IP addresses and we give them the IP from the pool to use them on their router on their end. we have 2 vlans setup on our layer 3 switch, Public vlan 200 and private vlan 50 which has dhcp running. Main gateway connection is coming from ISP switch port to our switch.
Now my question is: one of the user in public vlan has bunch of public IPs from us and we want to isolate them within the vlan 200 using private vlan.
where should I start? If I make vlan 200, primary for private vlan, will it create any disconnection in our current setup? I am also remote and my connection is also coming from vlan 200. Can I make changes in current setup of if I have to start from scretch by going onsite?

I hope I am able to clarify my question, thanks

Re: Setting up private vlan with our current setup

paul driver — Thu, 18 Mar 2021 21:29:08 GMT

Hello Talha
Based on you description and request its not PVLAN you require but a security policy to deny certain pubic hosts from accessing your vlan 50 - Would this be correct or is it that you are actually running PVLAN at this time?

Re: Setting up private vlan with our current setup

Georg Pauwen — Thu, 18 Mar 2021 22:27:13 GMT

Hello,

I just lab tested this and telnetted into a switch, from another switch in the same Vlan. Neither of the configuration parts of the private vlan did disconnect the TELNET session, so doing this remotely should work.

Of course, never forget the old trick of setting a 'reload in' on the remote device, so in case something does go wrong, the switch will reboot and allow you to gain access again, with the original configuration.

Re: Setting up private vlan with our current setup

Talha — Thu, 18 Mar 2021 23:22:39 GMT

hi Paul,

Apologies , if I couldn't describe my case properly but actually the case here is a client in vlan 200 wants to isolate himself from other clients in same vlan 200 and I am thinking to configure Pvlan to isolate him. He ran a security vulnerability check and his check is picking up other Public IPs in our public Vlan. Please ignore vlan 50 as I just added it to give you an idea about our network. I am attaching a basic diagram here as well of our network. What are my options? I thought a Pvlan will do the job! but I am not sure where to start in my current scenario.

Re: Setting up private vlan with our current setup

Talha — Thu, 18 Mar 2021 23:20:51 GMT

that's a good check, thanks

doesnt "reload in" is by default present.

Re: Setting up private vlan with our current setup

Georg Pauwen — Fri, 19 Mar 2021 00:15:00 GMT

Hello,

no, it is not in the configuration by default, you need to add that manually when working on the switch remotely...

Re: Setting up private vlan with our current setup

Talha — Fri, 19 Mar 2021 12:59:54 GMT

Ok I see, I didn't know that option. awesome

Re: Setting up private vlan with our current setup

paul driver — Sun, 21 Mar 2021 23:48:51 GMT

Hello

@Talha wrote:

case here is a client in vlan 200 wants to isolate himself from other clients in same vlan 200

Try the following vlan access map example:

access-list 101 permit ip host 200.0.0.1 200.0.0.0 0.0.0.255
access-list 101 permit ip 200.0.0.0 0.0.0.255 host 200.0.0.1

vlan access-map Vl200_host
match ip address 101
action drop
vlan access-map Vl200_host 99

vlan filter Vl200_host vlan-list 200

Re: Setting up private vlan with our current setup

Talha — Mon, 22 Mar 2021 09:51:57 GMT

Hi Paul,
Thanks for the response
If he has ip 207.x.x.89 to 207.x.x.93 in a 16 ip pool then how will this vlan filter look like? Should i then add each ip in seperate line.

Re: Setting up private vlan with our current setup

paul driver — Mon, 22 Mar 2021 10:52:41 GMT

Hello

Just amend the acl to accomodate.( please make sure the acl number is not already being used!)
Example:

access-list 101 permit ip host 207.x.x.89 207.0.0.0 0.0.255.255
access-list 101 permit ip 207.x.x.0 0.0.255.255 host 207.x.x.89

access-list 101 permit ip host 207.x.x.90 207.0.0.0 0.0.255.255
access-list 101 permit ip 207.x.x.0 0.0.255.255 host 207.x.x.90

etc..

Re: Setting up private vlan with our current setup

Talha — Mon, 22 Mar 2021 12:48:01 GMT

sure thanks, let me give it a try with Reload at command in case.
And can you tell what is 99 here in this line below that you wrote earlier? Also in the wild card mask is different from earlier reply, is it deliberate?

vlan access-map Vl200_host 99

Re: Setting up private vlan with our current setup

paul driver — Mon, 22 Mar 2021 12:48:16 GMT

Hello

Its a catch all stanza ( IE: permit ip any any)

Re: Setting up private vlan with our current setup

Talha — Mon, 22 Mar 2021 13:30:34 GMT

I see ok.

Can you please also confirm the wild card mask in the ACLs, should it be 0.0.0.255 or 0.0.255.255? thanks

Re: Setting up private vlan with our current setup

paul driver — Mon, 22 Mar 2021 13:34:36 GMT

Hello

@Talha wrote:

207.x.x.89 to 207.x.x.93 in a 16 ip pool then how will this vlan filter look like? Should i then add each ip in

Can you please also confirm the wild card mask in the ACLs, should it be 0.0.0.255 or 0.0.255.255? thanks

207.x.x.0/16 = 207.x.x.0 0.0.255.255

Re: Setting up private vlan with our current setup

Talha — Mon, 22 Mar 2021 13:40:03 GMT

Sorry just verified, its a pool of 32 ip address with subnet of 255.255.255.224

Re: Setting up private vlan with our current setup

paul driver — Mon, 22 Mar 2021 13:47:32 GMT

Hello

Okay then the acl will need to be changed to accomodate a /27 subnet and which ever range those hosts reside in?

207.x.x.0/27 = 207.x.x.0 0.0.0.31

207.x.x.32/27 = 207.x.x.32 0.0.0.31

207.x.x.64/27 = 207.x.x.64 0.0.0.31

207.x.x.96/27 = 207.x.x.96 0.0.0.31

etc...

Re: Setting up private vlan with our current setup

Talha — Mon, 22 Mar 2021 13:50:46 GMT

thanks alot Paul, will try it and follow up 🙂

Re: Setting up private vlan with our current setup

Talha — Mon, 22 Mar 2021 13:57:51 GMT

May be I am over cautious , sorry to bug you here 🙂

do I have to explicitly allow gateway as it is part of same pool. What a I understood that we are denying the traffic from his IPs to all vlan 200 network? lets say if gateway is .65, wouldn't it block his internet access?

Re: Setting up private vlan with our current setup

paul driver — Mon, 22 Mar 2021 14:09:24 GMT

Hello

No just specify the end host ip addressing to from the subent thats it, no need to specify any gateway address just be specific on the host ip addresses