cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6030
Views
4
Helpful
9
Replies

Isolating VLANS

hi.622823
Level 1
Level 1

Suppose we have one router connected to an L2 switch, and pc A (in vlan5) and pc B (in vlan 10) are connected to the switch. The router has a default route to the ISP (ie for internet connectivity).

We want pc A and B to access the internet, but they should be isolated from each other. Will private vlans solve this problem?

1 Accepted Solution

Accepted Solutions

Without truniking, neither will work.

The way to do this will be with access lists

access-list 101 de ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 de ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 pe ip any any

int eth0.5

enc dot1q 5

ip add 192.168.5.1 255.255.255.0

ip acce 101 in

int eth0.10

enc dot1q 10

ip 192.168.10.1 255.255.255.0

ip acce 101 in

I have just done this with a single access list that will block traffic either way to keep things simple.

There are other ways it can be done, but an access list is simpler.

View solution in original post

9 Replies 9

Francois Tallet
Level 7
Level 7

To put it short... no. Right now, your two pcs are isolated at layer 2. Private vlan was designed to provide the same isolation from within the same vlan (i.e. A & B would both be in vlan 5, but they still would not be able to communicate directly at L2, as if they were on the different vlans). The reason for this feature is that if you want to isolate 10 hosts by segregating in 10 different vlans, you need 10 IP subnets and you will potentially waste a large range of IP addresses that will be unused on each of them. With private vlan, you just need one subnet for all your segregated hosts.

If you want to isolate A & B at L3, in your scenario as well as with private vlan, you'll need some L3 access lists.

Regards,

Francois

Hi Francois,

Okay, let's forget about private vlans.

In the given scenario, let's say we have some subinterfaces on the router port connected to the switch (eg eth0.5, ip 192.168.5.1/24 and eth0.10, ip 192.168.10.1/24), but NO trunking encapsulation defined. pc A's default gateway is 192.168.5.1/24, and for pc B it's 192.168.10.1/24.

Will this solve the problem? If not, what is needed to achieve the goal for the given scenario?

Thanks.

Without truniking, neither will work.

The way to do this will be with access lists

access-list 101 de ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 de ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 pe ip any any

int eth0.5

enc dot1q 5

ip add 192.168.5.1 255.255.255.0

ip acce 101 in

int eth0.10

enc dot1q 10

ip 192.168.10.1 255.255.255.0

ip acce 101 in

I have just done this with a single access list that will block traffic either way to keep things simple.

There are other ways it can be done, but an access list is simpler.

Paul,

Thanks for your response. I see that the above configuration will solve the problem in my post.

Just as a follow up, it seems to me that access-lists are not a scalable solution. If you agree, could you perhaps suggest an alternate methodology?

It depends on how far you want to go. Access lists would be awkward if you were trying to protect hundreds of VLANS, but they could be made simpler with careful address scheme design - if this router had 100 VLANs all using RFC1918 addressing, and you wanted to prevent any VLAN talking to another, but allow them all out to talk to real internet addresses, an access list that blocks RFC1918 to RFC1918 addressing would be a simple access list applied inbound on all local interfaces.

VRF may be a more scaleable soultion, but it would have to be planned from the start. Ypu would also need to make sure all the support staff understood VRF. Anyone working on live Cisco kit should understand ACLs, so when someone has a problem 3am Sunday morning it can be sorted by the staff on shift. Do something ike VRF without training the staff and guess who's getting a 3am call!

The scalability will depend on how many such subnets you can summarize in a single access list. That might be where private vlan could help;-) With private vlans, you don't need many subnets. In fact, you could have all your hosts on a single subnet, in a single private vlan and thus use a single access list.

Regards,

Francois

Okay, let's re-work the scenario for private vlans. So would pc A and B be in a secondary vlan, and the switchport connected to the router a promiscious vlan?

For the PVLAN,The switchport connected to the router is Trunk. pcA and pcB is in isolated mode.

hi.622823
Level 1
Level 1

Thanks everyone for your replies.