isolate single vlan from intervlan routing in cisco switch

ahnoman231 · ‎08-07-2023

Hi,

I have Cisco 3750X switches connected in series. there are currently 6 VLANs configured with inter-vlan routing (VLAN 10, VLAN 20, VLAN 30, VLAN 40, VLAN 50, and VLAN 60). All these VLANs can communicate and send traffic in and out with each other.

I have recently got Cisco AP(AIR-CAP3702I-K-K9) with autonomous setup (without WLNC) and have configured it in the below configuration.

Two SSID are being broadcasted.

SSID1 is tagged with VLAN 40 and SSID2 is tagged with VLAN 60(user who connects with SSID2 with be tagged with VLAN60 and get the DHCP from the VLAN60 pool via domain controller)

and I have configured a switch port in the below configuration.

interface GigabitEthernet1/0/40
switchport trunk encapsulation dot1q
switchport trunk native vlan 60
switchport trunk allowed vlan 40,60
switchport mode trunk
spanning-tree portfast

In this way, AP with get the IP in VLAN 60, and users connected to any SSID will fall in their respective VLAN as shown above.

my concern is to block the incoming and outgoing from VLAN 60 to all the other VLANs in the network such that if a guest user joins

SSID2 should fall in VLAN 60 without having to access other VLANs.

I've included the configurations below for the switch.

interface Vlan1
no ip address
!
interface Vlan10
ip address 172.16.1.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan20
ip address 172.16.2.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan30
ip address 172.16.3.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan40
ip address 172.16.4.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan50
ip address 172.16.5.100 255.255.255.128
!
interface Vlan60
ip address 172.16.6.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan100
ip address 192.168.10.10 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip http server
ip http secure-server
!
ip access-list standard telnet-access
!
access-list 1 permit 192.168.10.10
access-list 1 permit 172.16.0.1
access-list 101 permit ip any any
!

please advise how to configure the switch to achieve the above outcome

marce1000 · ‎08-07-2023

- Just make sure that VLAN60 remains isolated , does not take part on Intervlan routing (Intranet) , and or has a route(s) to the 'outside world' only ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ahnoman231 · ‎08-07-2023

Hi @marce1000

What should be the configuration on the switch? What commands/steps I should follow?

ahnoman231 · ‎08-08-2023

Please Help!!!

Richard Burts · ‎08-09-2023

The first thing I would point out is that your configured default route is not correct ip route 0.0.0.0 0.0.0.0 172.16.0.1. The problem is that there is not anything in your config that identifies where subnet 172.16.0.0 is.

Am I correct in understanding that you want any device connecting to vlan 60 to have access to the DHCP server in vlan 50 but to have no access to any other devices in the other connected vlans/subnets? If so I suggest something like this:

access-list 160 permit ip 172.16.6.0 0.0.0.127 host 172.16.5.5

access-list 160 deny ip 172.16.6.0 0.0.0.127 172.16.0.0 0.0.255.255

access-list 160 permit ip 172.16.6.0 0.0.0.127 any

interface Vlan60

ip access-group 160 in

HTH

Rick