Isolated Subnet (Restricted) - Is it possible?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:11 AM
I'm looking at creating a restricted subnet. I want all nodes and devices on the subnet restricted from accessing each other. So for instance, node 1 can't speak to node 2 and so on.
Is this possible?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:24 AM
@mik31 what type of devices?
On a switch you could use VRFs or Private VLANs.
Or you could create separate VLANS with a default gateway as a firewall (ASA or FTD) for each VLAN and restrict traffic between the VLANS via the access control rules on the firewalls.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:27 AM
I'm aware of restricting like this, we do this now.
I want to restrict nodes on the same subnet from talking to each other.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:29 AM
@mik31 you do what now?
Private VLANs will restrict traffic in the same subnet, so would a Downloadable ACL (DACL) from ISE or TrustSec segmentation via ISE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:32 AM
Would private vlans work over AP's. Is this a port by port bases on the switch interfaces?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:36 AM
@mik31 you probably want to consider TrustSec segmentation with ISE. You can tag traffic throughout the network, wired or wireless and apply policies.
https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:48 AM
Looks like one of the requirements for Private VLANS is setting VTP to transparent. This would be a management nightmare for VLANs.
Vacl and MacACL using ISE looks like a solution. However, devices are constantly will be changing on this subnet and will be a pain to chase a gazillion mac addresses, unless there is a dynamic way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:51 AM
VACL and MacACL doesn't use ISE, they are statically configured.
The TrustSec example I provided uses ISE, which is dynamic and will apply policy according to the type of device connecting to the network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 07:33 AM
VACL with MacACL is solution I think.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 08:58 AM
Friend if you have ap with WLC then p2p block feature in wlc is best for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2022 10:17 AM
Hello
Other options other than private vlans would be to negate access between networks with the same security level by the applying the following
same-security-traffic permit intra-interface
or use access-lists
example: deny vlan 101 communication to/from -vlan 102
access-list 106 extended deny ip 10.1.102.0 255.255.255.0 any
access-list 106 extended deny ip any 10.1.102.0 255.255.255.0
access-list 106 extended permit ip any any
access-group 106 out interface vl101
access-group 106 in interface vl101
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
