help with port isolation

jkay18041 · ‎11-27-2018

I have the config listed below on a 3750x-24t-s switch that I'm using as a WAN switch. One side connects to ISP the other is my /27 for my internal network. I have created 2 vlans, vlan 100 is WAN and vlan 200 is the LAN. I want to keep the entire /27 as one subnet as possible to preserve IPs. However one of my devices that will be connected directly to this switch is a Nomadix gateway which is an edge device for Guest networks. This will go into port 13. Port 23 will go to another firewall that the rest of the network will be behind.

My goal is to allow traffic from port 13 out to port 1 (WAN) but not allow any device behind port 13 to communicate with any device on port 23.

Current configuration : 3071 bytes
!
! Last configuration change at 00:35:14 UTC Mon Mar 1 1993 by lodgeworks
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no logging console
!
username user privilege 15 secret 5
no aaa new-model
switch 1 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
ip domain-name network.local
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
description To_ISP
switchport access vlan 100
switchport mode access
no vtp
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 200
switchport mode access
no vtp
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport access vlan 200
switchport mode access
no vtp
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description to ISP
ip address 100.2.31.134 255.255.255.252
!
interface Vlan200
description LAN
ip address 100.2.31.193 255.255.255.224
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 100.2.31.133
!
ip access-list standard SSH_ACCESS
permit 100.2.31.194
permit 6.2.219.66
deny any
!
ip access-list extended Block_Stuff
permit tcp host 100.2.31.194 host 100.2.31.193 eq 22
permit tcp 6.2.219.64 0.0.0.63 host 100.2.31.134 eq 22
permit tcp 6.2.219.64 0.0.0.63 100.2.31.192 0.0.0.31 eq 22 www 443
permit udp 6.2.219.64 0.0.0.63 100.2.31.192 0.0.0.31 eq snmp
deny udp any 100.2.31.192 0.0.0.31 eq snmp
deny tcp any 100.2.31.192 0.0.0.31 eq ftp-data ftp 22 telnet www 443 3389
deny tcp any 100.2.31.192 0.0.0.31 eq 301 1111 1112 2111 3000
deny tcp any host 100.2.31.134 eq ftp-data ftp 22 telnet domain www 443
permit ip any any
!
logging esm config
snmp-server community snmpcomname RO SSH_ACCESS
!
no vstack
!
line con 0
login local
line vty 0 4
access-class SSH_ACCESS in
login local
transport input ssh
line vty 5 15
access-class SSH_ACCESS in
login local
transport input ssh
!
end

Can someone show me an example of a port isolation config for a similar setup. I seem to be a little stumped.

Thank you

Dennis Mink · ‎11-27-2018

on your interface vlan 200 put an access list up that denies traffic to vlan 100, then a permit any any (or permit vlan 100 to any) to still allow internet. or simply deny all RFC1918 ranges and allow all else from ip addresses in vlan 100

Please remember to rate useful posts, by clicking on the stars below.

jkay18041 · ‎11-27-2018

But wouldn't that still allow traffic between the two vlan 200 ports? I'm wanting to make port 13 to be denied to anything behind port 23.

Thanks for your hlep

Dennis Mink · ‎11-27-2018

why would you want to isolate two hosts in the same VLAN?

I mean by far the easiest way to isolate is on layer3 using an access list, but you would need to peel the one host out of vlan 200 if its not supposed to communicate with hosts in VLAN200.

Please remember to rate useful posts, by clicking on the stars below.

jkay18041 · ‎11-28-2018

If I was to take the Nomadix host (guest network gateway) off of vlan 200 and say put it on vlan 300 what would be the best way to do that then? My goal is to not have to create a /30 network and burn IP's as I only have a /27.

Thank you for the help

Dennis Mink · ‎11-28-2018

if you put the nomadix in vlan 300, you create a interface vlan 300 intterface (use this interface's IP address as the default gateway for tghe nomadix). and put an inbound ACL on it:

deny vlan 200

deny vlan 100

permit any

Please remember to rate useful posts, by clicking on the stars below.

paul driver · ‎11-29-2018

Hello

Interface gig0/13

switchport protected

interface gig0/23

switchport protected

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul