cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

305
Views
0
Helpful
6
Replies
Beginner

Creating a private/isolated vlan on Cisco switch

Hello

I have many Cisco switches 65xx, 37xx at my company with a lot of vlans already configured.  I need to create a new isolation vlan that will not be able to communicate with my other existing vlans.  We are setting up a NAC solution at my company and we want a vlan that we can send ports to if the computer or device is compromised and cannot talk or risk the existing network (other vlans).  What is the best method to make this happen?

 

I have created VLANs in the past but this is my first dealing with private/isolated vlans and would be grateful for any guidance on how I should implement this.

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

I spoke to my NAC vendor,

I spoke to my NAC vendor, they want a Lay3 private vlan, they want the vlan to talk with the NAC appliance, so i can put that NAC IP in for the SVI.  So do i create a normal Lay2 vlan with the NAV IP, how do i make this private vlan so i cannot talk to my network or to the internet?

 

Thanks

View solution in original post

6 REPLIES 6
Hall of Fame Guru

JohnIf you need a vlan that

John

If you need a vlan that cannot communicate with any other vlans or any other IP (internet for example) then you don't need private vlans. You can just create the vlan at L2 but not create a L3 vlan interface (SVI) for it.

Without an SVI clients in that vlan will not be able to communicate with anything outside that vlan.

Does this meet your requirements ?

Jon

Beginner

Thanks for the feedback.  Yes

Thanks for the feedback.  Yes, overall that is what I am trying to do, I don't want anything that get put on this new isolated vlan to communicate with anything on my existing vlans.

So are you saying I should just create a new L2 vlan and not configure the vlan interface (which is at L3) for this new vlan so I cannot communicate with any of my existing vlans therefore isolating the new vlan?

 

thanks

 

Hall of Fame Guru

So are you saying I should

So are you saying I should just create a new L2 vlan and not configure the vlan interface (which is at L3) for this new vlan so I cannot communicate with any of my existing vlans therefore isolating the new vlan?

Yes, without an SVI clients in that vlan cannot communicate with anything outside that vlan.

The only thing that wasn't clear was whether these clients should still be able to access the internet even though they couldn't talk to any other internal vlans. If they did need the internet, or any other remote network, then you would need an SVI but it sounds as though you don't want any external communication for these clients ?

Jon

Beginner

I spoke to my NAC vendor,

I spoke to my NAC vendor, they want a Lay3 private vlan, they want the vlan to talk with the NAC appliance, so i can put that NAC IP in for the SVI.  So do i create a normal Lay2 vlan with the NAV IP, how do i make this private vlan so i cannot talk to my network or to the internet?

 

Thanks

View solution in original post

Hall of Fame Guru

JohnNot sure I follow.Is the

John

Not sure I follow.

Is the NAC appliance in an existing vlan ?

If a client needs to be sent to the isolated vlan what happens with it's existing IP address ie. if it sent to a different vlan it will need a new IP if it still needs to communicate with the NAC device.

If you want to leave the client with it's own IP you could use private vlans but that would mean -

1) you would need to do this for each vlan you currently have

and

2) you would still need to use acls on the SVI to allow that isolated vlan to talk to the NAC appliance and only the NAC appliance.

Jon

VIP Advisor

apologies didn't mean to

apologies didn't mean to endorse this post?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad