Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
10
Helpful
4
Replies

Isolating a subnet

Go to solution
sahad15978
Level 1
Level 1

‎09-26-2020 08:37 AM

Hi all,

 

I have a subcontractor that I want to give limited access to one machine on my switch.  The subcontractor logs in via VPN access to cisco 3825.  The vpn connection has a unique subnet 192.168.x.x and routs to my layer 3 switch (3750) to a vlan 60 which is mapped to port 47.  The machine has a fixed ip of 192.168.x.x

 

port 48 on the switch is currently configured as noswitchport and goes to the router.  I considered private vlans, but I was not sure how to set it up as far as promiscuous ports and the actual port 48.  I looked into access lists, but could not get the desired effect of having the machine able to be accessible by vpn and also capable of going to the internet, but no other access.  I think i have been working on this too long and i am just missing a simple step.  any help is appreciated.

 

thank you

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
sahad15978
Level 1
Level 1
In response to Georg Pauwen

‎09-26-2020 02:58 PM

Thanks Georg,

 

I ended up following this tutorial https://www.youtube.com/watch?v=BwEcN_bXLkw and was able to block traffic originating from the subcontractor vlan to my other vlans as you suggested.  

 

I wonder if that is enough for security.  I can still ping from machines from my other vlans to the sub's vlan...I think I can apply a similar access list on each of the other vlans.

 

Thanks again

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎09-26-2020 08:54 AM

Hello,

 

actually, an access list still sounds like the best option. If your VPN clients are in the 192.168.x.x range, deny ip access from this network to any other network configured on the router, and the last statement should be to allow ip access from 192.168.x.x to any.

 

If possible, post the full running configuration of your 3825.

0 Helpful

Go to solution
sahad15978
Level 1
Level 1
In response to Georg Pauwen

‎09-26-2020 02:58 PM

Thanks Georg,

 

I ended up following this tutorial https://www.youtube.com/watch?v=BwEcN_bXLkw and was able to block traffic originating from the subcontractor vlan to my other vlans as you suggested.  

 

I wonder if that is enough for security.  I can still ping from machines from my other vlans to the sub's vlan...I think I can apply a similar access list on each of the other vlans.

 

Thanks again

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to sahad15978

‎09-26-2020 11:52 PM

Hello,

 

can you post the running configuration of your router, with the changes you have implemented ?

0 Helpful

Go to solution
paul driver
VIP
VIP

‎09-26-2020 02:33 PM

Hello
Can you post a topology diagram on this data flow please?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card