11-25-2014 12:49 PM - edited 03-07-2019 09:39 PM
Hello
I have many Cisco switches 65xx, 37xx at my company with a lot of vlans already configured. I need to create a new isolation vlan that will not be able to communicate with my other existing vlans. We are setting up a NAC solution at my company and we want a vlan that we can send ports to if the computer or device is compromised and cannot talk or risk the existing network (other vlans). What is the best method to make this happen?
I have created VLANs in the past but this is my first dealing with private/isolated vlans and would be grateful for any guidance on how I should implement this.
Solved! Go to Solution.
12-01-2014 11:38 AM
I spoke to my NAC vendor, they want a Lay3 private vlan, they want the vlan to talk with the NAC appliance, so i can put that NAC IP in for the SVI. So do i create a normal Lay2 vlan with the NAV IP, how do i make this private vlan so i cannot talk to my network or to the internet?
Thanks
11-25-2014 12:57 PM
John
If you need a vlan that cannot communicate with any other vlans or any other IP (internet for example) then you don't need private vlans. You can just create the vlan at L2 but not create a L3 vlan interface (SVI) for it.
Without an SVI clients in that vlan will not be able to communicate with anything outside that vlan.
Does this meet your requirements ?
Jon
11-25-2014 01:15 PM
Thanks for the feedback. Yes, overall that is what I am trying to do, I don't want anything that get put on this new isolated vlan to communicate with anything on my existing vlans.
So are you saying I should just create a new L2 vlan and not configure the vlan interface (which is at L3) for this new vlan so I cannot communicate with any of my existing vlans therefore isolating the new vlan?
thanks
11-25-2014 01:20 PM
So are you saying I should just create a new L2 vlan and not configure the vlan interface (which is at L3) for this new vlan so I cannot communicate with any of my existing vlans therefore isolating the new vlan?
Yes, without an SVI clients in that vlan cannot communicate with anything outside that vlan.
The only thing that wasn't clear was whether these clients should still be able to access the internet even though they couldn't talk to any other internal vlans. If they did need the internet, or any other remote network, then you would need an SVI but it sounds as though you don't want any external communication for these clients ?
Jon
12-01-2014 11:38 AM
I spoke to my NAC vendor, they want a Lay3 private vlan, they want the vlan to talk with the NAC appliance, so i can put that NAC IP in for the SVI. So do i create a normal Lay2 vlan with the NAV IP, how do i make this private vlan so i cannot talk to my network or to the internet?
Thanks
12-01-2014 12:24 PM
John
Not sure I follow.
Is the NAC appliance in an existing vlan ?
If a client needs to be sent to the isolated vlan what happens with it's existing IP address ie. if it sent to a different vlan it will need a new IP if it still needs to communicate with the NAC device.
If you want to leave the client with it's own IP you could use private vlans but that would mean -
1) you would need to do this for each vlan you currently have
and
2) you would still need to use acls on the SVI to allow that isolated vlan to talk to the NAC appliance and only the NAC appliance.
Jon
12-01-2014 02:11 PM
apologies didn't mean to endorse this post?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: