11-27-2018 06:43 PM - edited 03-05-2019 11:04 AM
I have the config listed below on a 3750x-24t-s switch that I'm using as a WAN switch. One side connects to ISP the other is my /27 for my internal network. I have created 2 vlans, vlan 100 is WAN and vlan 200 is the LAN. I want to keep the entire /27 as one subnet as possible to preserve IPs. However one of my devices that will be connected directly to this switch is a Nomadix gateway which is an edge device for Guest networks. This will go into port 13. Port 23 will go to another firewall that the rest of the network will be behind.
My goal is to allow traffic from port 13 out to port 1 (WAN) but not allow any device behind port 13 to communicate with any device on port 23.
Current configuration : 3071 bytes
!
! Last configuration change at 00:35:14 UTC Mon Mar 1 1993 by lodgeworks
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no logging console
!
username user privilege 15 secret 5
no aaa new-model
switch 1 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
ip domain-name network.local
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
description To_ISP
switchport access vlan 100
switchport mode access
no vtp
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 200
switchport mode access
no vtp
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport access vlan 200
switchport mode access
no vtp
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description to ISP
ip address 100.2.31.134 255.255.255.252
!
interface Vlan200
description LAN
ip address 100.2.31.193 255.255.255.224
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 100.2.31.133
!
ip access-list standard SSH_ACCESS
permit 100.2.31.194
permit 6.2.219.66
deny any
!
ip access-list extended Block_Stuff
permit tcp host 100.2.31.194 host 100.2.31.193 eq 22
permit tcp 6.2.219.64 0.0.0.63 host 100.2.31.134 eq 22
permit tcp 6.2.219.64 0.0.0.63 100.2.31.192 0.0.0.31 eq 22 www 443
permit udp 6.2.219.64 0.0.0.63 100.2.31.192 0.0.0.31 eq snmp
deny udp any 100.2.31.192 0.0.0.31 eq snmp
deny tcp any 100.2.31.192 0.0.0.31 eq ftp-data ftp 22 telnet www 443 3389
deny tcp any 100.2.31.192 0.0.0.31 eq 301 1111 1112 2111 3000
deny tcp any host 100.2.31.134 eq ftp-data ftp 22 telnet domain www 443
permit ip any any
!
logging esm config
snmp-server community snmpcomname RO SSH_ACCESS
!
no vstack
!
line con 0
login local
line vty 0 4
access-class SSH_ACCESS in
login local
transport input ssh
line vty 5 15
access-class SSH_ACCESS in
login local
transport input ssh
!
end
Can someone show me an example of a port isolation config for a similar setup. I seem to be a little stumped.
Thank you
11-27-2018 07:13 PM
on your interface vlan 200 put an access list up that denies traffic to vlan 100, then a permit any any (or permit vlan 100 to any) to still allow internet. or simply deny all RFC1918 ranges and allow all else from ip addresses in vlan 100
11-27-2018 07:29 PM
But wouldn't that still allow traffic between the two vlan 200 ports? I'm wanting to make port 13 to be denied to anything behind port 23.
Thanks for your hlep
11-27-2018 08:34 PM
why would you want to isolate two hosts in the same VLAN?
I mean by far the easiest way to isolate is on layer3 using an access list, but you would need to peel the one host out of vlan 200 if its not supposed to communicate with hosts in VLAN200.
11-28-2018 05:50 AM
If I was to take the Nomadix host (guest network gateway) off of vlan 200 and say put it on vlan 300 what would be the best way to do that then? My goal is to not have to create a /30 network and burn IP's as I only have a /27.
Thank you for the help
11-28-2018 06:57 PM
if you put the nomadix in vlan 300, you create a interface vlan 300 intterface (use this interface's IP address as the default gateway for tghe nomadix). and put an inbound ACL on it:
deny vlan 200
deny vlan 100
permit any
11-29-2018 07:25 AM - edited 11-29-2018 07:26 AM
Hello
Interface gig0/13
switchport protected
interface gig0/23
switchport protected
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide