Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
145
Views
0
Helpful
3
Replies

Isolated VLAN That Requires Internet Access Only

dcgtechnologies
Level 1
Level 1

‎10-28-2025 08:19 PM

I am looking to find out the proper configuration for three ports on two 3750X switches to have an isolated network / VLAN that will NOT talk to any other network / VLAN in my environment and only needs internet access. I have two interfaces on one switch and one interface on another switch. Right now, I have all three interfaces configured as access ports to one VLAN called VLAN70. My native vlan is VLAN10 and VLAN70 can access all networks and all other VLAN's and resources and that is what I DO NOT want. What is the best way to configure this? I know this is probably simple for most so it should be pretty easy to answer for a seasoned member. Thank you in advance.

Labels:
0 Helpful
3 Replies 3

Kasun Bandara
VIP
VIP

‎10-28-2025 09:35 PM

hi @dcgtechnologies , as i understood, you have 1 VLAN which should have access to the only internet and other VLANs which can access each other and internet. 

this can achieve by configuring the ACL. ACL can create at the switch where your VLAN interfaces (SVI) (or gateway IP of user) is available. you can create ACL saying that block the internal VLAN IP ranges and allow other traffic. then assign that to the incoming traffic of the VLAN interface (SVI) which you only need internet access.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-29-2025 01:00 AM

You need to isolate a VLAN, then you can create another VLAN 71 all the way to where this is required at the endpoint.

This is only a switch in point of view. How is your Internet connection? Where is it terminated?

Do you have any FW or doing NAT? Then that is much easier to create another interface or subinterface (on FW) or in the router, the same way, and make access control to deny any other Local VLAN access and allow only Internet. Do you think this makes sense?

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dcgtechnologies
Level 1
Level 1
In response to balaji.bandi

‎10-29-2025 10:25 AM

Balaji Bandi - Cisco Community Hall of Fame (2024) If my firewall is not capable of using NAT or performing the configuration could I just create the VLAN70 off of Vlan10 as a private vlan? How would the private Vlan configuration look if I am using Vlan10 and then make VLAN70 the private VLAN? I am trying to get my firewall to accomplish what you just stated, but so far no luck. It all makes sense to me, but I am trying to get a Bakup plan if my firewall plan does not work. Thank you.

0 Helpful
Customers Also Viewed These Support Documents