Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1398
Views
0
Helpful
6
Replies

Creating a private/isolated vlan on Cisco switch

Go to solution
John Stevens
Level 1
Level 1

‎11-25-2014 12:49 PM - edited ‎03-07-2019 09:39 PM

Hello

I have many Cisco switches 65xx, 37xx at my company with a lot of vlans already configured.  I need to create a new isolation vlan that will not be able to communicate with my other existing vlans.  We are setting up a NAC solution at my company and we want a vlan that we can send ports to if the computer or device is compromised and cannot talk or risk the existing network (other vlans).  What is the best method to make this happen?

 

I have created VLANs in the past but this is my first dealing with private/isolated vlans and would be grateful for any guidance on how I should implement this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Stevens
Level 1
Level 1
In response to Jon Marshall

‎12-01-2014 11:38 AM

I spoke to my NAC vendor, they want a Lay3 private vlan, they want the vlan to talk with the NAC appliance, so i can put that NAC IP in for the SVI.  So do i create a normal Lay2 vlan with the NAV IP, how do i make this private vlan so i cannot talk to my network or to the internet?

 

Thanks

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-25-2014 12:57 PM

John

If you need a vlan that cannot communicate with any other vlans or any other IP (internet for example) then you don't need private vlans. You can just create the vlan at L2 but not create a L3 vlan interface (SVI) for it.

Without an SVI clients in that vlan will not be able to communicate with anything outside that vlan.

Does this meet your requirements ?

Jon

0 Helpful

Go to solution
John Stevens
Level 1
Level 1
In response to Jon Marshall

‎11-25-2014 01:15 PM

Thanks for the feedback.  Yes, overall that is what I am trying to do, I don't want anything that get put on this new isolated vlan to communicate with anything on my existing vlans.

So are you saying I should just create a new L2 vlan and not configure the vlan interface (which is at L3) for this new vlan so I cannot communicate with any of my existing vlans therefore isolating the new vlan?

 

thanks

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to John Stevens

‎11-25-2014 01:20 PM

So are you saying I should just create a new L2 vlan and not configure the vlan interface (which is at L3) for this new vlan so I cannot communicate with any of my existing vlans therefore isolating the new vlan?

Yes, without an SVI clients in that vlan cannot communicate with anything outside that vlan.

The only thing that wasn't clear was whether these clients should still be able to access the internet even though they couldn't talk to any other internal vlans. If they did need the internet, or any other remote network, then you would need an SVI but it sounds as though you don't want any external communication for these clients ?

Jon

0 Helpful

Go to solution
John Stevens
Level 1
Level 1
In response to Jon Marshall

‎12-01-2014 11:38 AM

I spoke to my NAC vendor, they want a Lay3 private vlan, they want the vlan to talk with the NAC appliance, so i can put that NAC IP in for the SVI.  So do i create a normal Lay2 vlan with the NAV IP, how do i make this private vlan so i cannot talk to my network or to the internet?

 

Thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to John Stevens

‎12-01-2014 12:24 PM

John

Not sure I follow.

Is the NAC appliance in an existing vlan ?

If a client needs to be sent to the isolated vlan what happens with it's existing IP address ie. if it sent to a different vlan it will need a new IP if it still needs to communicate with the NAC device.

If you want to leave the client with it's own IP you could use private vlans but that would mean -

1) you would need to do this for each vlan you currently have

and

2) you would still need to use acls on the SVI to allow that isolated vlan to talk to the NAC appliance and only the NAC appliance.

Jon

0 Helpful

Go to solution
paul driver
VIP
VIP

‎12-01-2014 02:11 PM

apologies didn't mean to endorse this post?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card