cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1603
Views
5
Helpful
10
Replies

Isolated Subnet (Restricted) - Is it possible?

mik31
Level 1
Level 1

I'm looking at creating a restricted subnet. I want all nodes and devices on the subnet restricted from accessing each other. So for instance, node 1 can't speak to node 2 and so on.

 

Is this possible?

10 Replies 10

@mik31 what type of devices?

On a switch you could use VRFs or Private VLANs.

Or you could create separate VLANS with a default gateway as a firewall (ASA or FTD) for each VLAN and restrict traffic between the VLANS via the access control rules on the firewalls.

 

I'm aware of restricting like this, we do this now.

 

I want to restrict nodes on the same subnet from talking to each other.

@mik31 you do what now?

Private VLANs will restrict traffic in the same subnet, so would a Downloadable ACL (DACL) from ISE or TrustSec segmentation via ISE.

Would private vlans work over AP's. Is this a port by port bases on the switch interfaces?

@mik31 you probably want to consider TrustSec segmentation with ISE. You can tag traffic throughout the network, wired or wireless and apply policies.

 

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424

 

 

Looks like one of the requirements for Private VLANS is setting VTP to transparent. This would be a management nightmare for VLANs.

 

Vacl and MacACL using ISE looks like a solution. However, devices are constantly will be changing on this subnet and will be a pain to chase a gazillion mac addresses, unless there is a dynamic way?

VACL and MacACL doesn't use ISE, they are statically configured.

 

The TrustSec example I provided uses ISE, which is dynamic and will apply policy according to the type of device connecting to the network.

Friend if you have ap with WLC then p2p block feature in wlc is best for you.

Hello

Other options other than private vlans would be to negate access between networks with the same security level by the applying the following 

same-security-traffic permit intra-interface

 

or use access-lists

example:  deny vlan 101 communication to/from -vlan 102 
access-list 106 extended deny ip 10.1.102.0 255.255.255.0 any
access-list 106 extended deny ip any 10.1.102.0 255.255.255.0
access-list 106 extended permit ip any any

access-group 106 out interface vl101
access-group 106 in interface vl101


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card