Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1603
Views
5
Helpful
10
Replies

Isolated Subnet (Restricted) - Is it possible?

mik31
Level 1
Level 1

‎01-14-2022 07:11 AM

I'm looking at creating a restricted subnet. I want all nodes and devices on the subnet restricted from accessing each other. So for instance, node 1 can't speak to node 2 and so on.

 

Is this possible?

10 Replies 10

Rob Ingram
VIP
VIP

‎01-14-2022 07:24 AM

@mik31 what type of devices?

On a switch you could use VRFs or Private VLANs.

Or you could create separate VLANS with a default gateway as a firewall (ASA or FTD) for each VLAN and restrict traffic between the VLANS via the access control rules on the firewalls.

 

0 Helpful

mik31
Level 1
Level 1
In response to Rob Ingram

‎01-14-2022 07:27 AM

I'm aware of restricting like this, we do this now.

 

I want to restrict nodes on the same subnet from talking to each other.

0 Helpful

Rob Ingram
VIP
VIP
In response to mik31

‎01-14-2022 07:29 AM

@mik31 you do what now?

Private VLANs will restrict traffic in the same subnet, so would a Downloadable ACL (DACL) from ISE or TrustSec segmentation via ISE.

0 Helpful

mik31
Level 1
Level 1
In response to Rob Ingram

‎01-14-2022 07:32 AM

Would private vlans work over AP's. Is this a port by port bases on the switch interfaces?

0 Helpful

Rob Ingram
VIP
VIP
In response to mik31

‎01-14-2022 07:36 AM

@mik31 you probably want to consider TrustSec segmentation with ISE. You can tag traffic throughout the network, wired or wireless and apply policies.

 

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424

 

 

0 Helpful

mik31
Level 1
Level 1
In response to Rob Ingram

‎01-14-2022 07:48 AM

Looks like one of the requirements for Private VLANS is setting VTP to transparent. This would be a management nightmare for VLANs.

 

Vacl and MacACL using ISE looks like a solution. However, devices are constantly will be changing on this subnet and will be a pain to chase a gazillion mac addresses, unless there is a dynamic way?

0 Helpful

Rob Ingram
VIP
VIP
In response to mik31

‎01-14-2022 07:51 AM

VACL and MacACL doesn't use ISE, they are statically configured.

 

The TrustSec example I provided uses ISE, which is dynamic and will apply policy according to the type of device connecting to the network.

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-14-2022 08:58 AM

Friend if you have ap with WLC then p2p block feature in wlc is best for you.

0 Helpful

paul driver
VIP
VIP

‎01-14-2022 10:17 AM

Hello

Other options other than private vlans would be to negate access between networks with the same security level by the applying the following 

same-security-traffic permit intra-interface

 

or use access-lists

example:  deny vlan 101 communication to/from -vlan 102 
access-list 106 extended deny ip 10.1.102.0 255.255.255.0 any
access-list 106 extended deny ip any 10.1.102.0 255.255.255.0
access-list 106 extended permit ip any any

access-group 106 out interface vl101
access-group 106 in interface vl101


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Review Cisco Networking for a $25 gift card
Top