Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
4
Replies

Isolate VLAN X from other VLANS

ralpho1
Level 1
Level 1

‎11-18-2025 05:33 AM

Hello Together,

we have a Catalyst 9500 Core Switch and I wan to Isolate a specified VLAN (VLAN 5) deny to connect to all other VLAN. Here is a simple configuration and explanation what the result should be.

VLAN 2 (Server) 10.1.2.0/24 Gateway VLAN interface 10.1.2.1

VLAN 3 (Client) 10.1.3.0/24 Gateway VLAN interface 10.1.3.1

VLAN 4 (Production) 10.1.4.0/24 Gateway VLAN interface 10.1.4.1

VLAN 5 (Development) 10.1.4.0/24 Gatway VLAN interface 10.1.4.1

VLAN 6 (Transfer VLAN to Firewall) 10.1.6.0/30 Gateway 10.1.6.1

and so on.

Now VLAN 5 (Development) should not be able to communicate with all other VLAN´s (2 -4, 6 >) and should only have Access to the Internet. There is a Firewall as next Hop (VLAN 6) to Internet and we have Configured Cisco ISE for 802.1x for security. 

VLAN 5 needs, NTP, DHCP, HTTPS for the first.

I tried to use Named extended ACL on the 9500 on VLAN interface 5 but I can´t get a satisfied Result.

I saw some other threads here but these are do not help me. Maybe do I have to go an other way as ACL?

Many Thanks and Regards

Ralph  

Labels:
0 Helpful
4 Replies 4

Enes Simnica
Spotlight
Spotlight

‎11-18-2025 07:49 AM

gDay @ralpho1 Yes, you can isolate VLAN 5 using an ACL, u just need to allow the specific services it needs, block all internal subnets, and then permit everything else toward the firewall for Internet access. Also, VLAN 4 and VLAN 5 can’t both use 10.1.4.0/24, so fix that first (use these commands, also forgive me if i type something wrong, typing this as I eat lunch HAHA LOOLx2):

ip access-list extended VLAN5_OUT
  permit udp any host <dhcp_server> eq bootps
  permit udp any host <ntp_server> eq ntp
  permit tcp any host <ise_IP> eq 443

  deny ip any 10.0.0.0 0.255.255.255
  deny ip any 172.16.0.0 0.15.255.255
  deny ip any 192.168.0.0 0.0.255.255

  permit ip any any

and also this one for the end: int vlan 5  : ip access-gr vlan5 out

hope it helps and PEACE!

 

-Enes

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!
0 Helpful

ralpho1
Level 1
Level 1
In response to Enes Simnica

‎11-21-2025 06:47 AM

Hi Enes, many thanks this sound´s good too me. oh, I see the mistake with VLAN 5, I read two times but on configuration site is right. I will give it a try and respond here, 

best Regards Ralph

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎11-21-2025 07:20 AM

Another option you might consider is placing VLAN 5 into a separate VRF, which would also allow the VLANs 4 and 5 use the same /24, but your requirements accessing the Internet and other (shared?) services probably makes using a VRF additionally complex vs. just using ACLs for no real benefit.

0 Helpful

ralpho1
Level 1
Level 1

‎11-28-2025 12:21 AM

Joseph, I will follow your advice. Thanks to all for your Ideas

0 Helpful
Customers Also Viewed These Support Documents