C3750, port isolation

perpaal · ‎09-01-2015

Hi I need to set up a guest network, where clients on each port should only be allowed to talk to gateway. How would a best achieve this on a Cisco Catalyst 3750?

Mark Malone · ‎09-01-2015

just an option you could create a layer 3 vlan on the 3750 assign the ports you want to this vlan as layer 2 and then lock down the interface vlan using access-lists so it cannot talk to any other vlans or devices and only be able to get to the gateway , you could go another route and use private vlan setup community or isolated ports depending how strict you want to be

perpaal · ‎09-01-2015

How would a private VLAN setup for this look like? The network spans over 3pcs 3750 switches.

Mark Malone · ‎09-01-2015

Heres the link explaining how to configure it for 3750 there's not too much in it you probably want community port setup so they can speak to each other in same vlan but no 1 else , isolated will lock the ports down completely

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swpvlan.html

paul driver · ‎09-01-2015

Hello

Pvlans are indeed another way to isolate switchports in varous vlans over multiple switches but it does require some configuration.

Promiscuous port - belongs to primary vlan and all plvan ports can communicate with it

Primary vlan - All ports in plvan are part of this vlan

Community vlans - secondary vlan allowed to communicate with other port in its vlan and the promiscuous port in the primary vlan

isolated vlans - secondary vlan that can NOT communicate to any other port in any vlans other than the promiscuous port in hte primary vlan

Lets say the vlans span over 2 switches ( SW1- SW2)

SW1
promiscuous port = fa0/1
vlan 10 primary
vlan 20 communitiy
vlan 30 comunitity
vlan 40 isolated

1)
create trunks that are to be used ( if applicable) On all switches
Note: vtp mode of switch needs to be transparent ( before or after vlan creation and propergation ( again if applicable)

vtp mode transparent

2) create the L2 vlans and assocate the private vlans

vlan 10, 20,30,40
exit

vlan 10
private-vlan primary
vlan 20-30
private vlan community
vlan 40
private-vlan isolated

3) assoication secondaries to primary vlan

vlan 10
private-vlan assoication add 20,30,40

sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      20        community
10      30        community
10      40        isolated

4) assiocate a promiscuous port and map the secondary vlans to it
(not applicable on every switch only on the switch the promisuous port is attached to)

int fa0/1
switchport mode private-vlan promiscuos
switchport private-vlan mapping 10 20,30,40

sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      20        community         Fa0/1,
10      30        community         Fa0/1,
10      40        isolated          Fa0/1,

5) associate host to the vlans

int fa0/2
switchport mode private-vlan host
switchport private-vlan host-association 10 20

int fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 10 20

int fa0/4
switchport mode private-vlan host
switchport private-vlan host-association 10 30

int fa0/5
switchport mode private-vlan host
switchport private-vlan host-association 10 40

sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      20        community         Fa0/1, Fa0/2,Fa0/3
10      30        community         Fa0/1, Fa0/4
10      40        isolated          Fa0/1, Fa0/5

Layer 3 interfaces - so secondary vlan 20 30 can comunicate with each other
====================

Switch(s)
---------------

1)
int vlan 10 ( this is the primary L3 interface relating to Vlan 10 L2 primary vlan)
ip add 220.1.1.100 255.255.255.0
ip add 230.1.1.100 255.255.255.0 secondary
private-vlan mapping 20,30

ip routing

Hosts
======
the secondary hosts need to be in the same ip range has the SVI l3 interface with a default-gateway
assigned

interface x/x
description Pvlan 20 Community port
switchport private-vlan host-association 10 20
switchport mode private-vlan host

interface x/x
description Pvlan 30 Community port
switchport private-vlan host-association 10 30
switchport mode private-vlan host

cco doc

hope this helps

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎09-01-2015

Hello

Is this relating to the one switch? - if so the easiest way would be switchport protected command

Any ports with this enabled wont be able to comunicate with each other

int x/x
switchport protected

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

perpaal · ‎09-01-2015

It will be spanning over 3 switches.