Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5601
Views
4
Helpful
9
Replies

Isolating VLANS

Go to solution
hi.622823
Level 1
Level 1

‎10-11-2007 09:20 PM - edited ‎03-05-2019 07:02 PM

Suppose we have one router connected to an L2 switch, and pc A (in vlan5) and pc B (in vlan 10) are connected to the switch. The router has a default route to the ISP (ie for internet connectivity).

We want pc A and B to access the internet, but they should be isolated from each other. Will private vlans solve this problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul.matthews
Level 5
Level 5
In response to hi.622823

‎10-11-2007 11:56 PM

Without truniking, neither will work.

The way to do this will be with access lists

access-list 101 de ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 de ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 pe ip any any

int eth0.5

enc dot1q 5

ip add 192.168.5.1 255.255.255.0

ip acce 101 in

int eth0.10

enc dot1q 10

ip 192.168.10.1 255.255.255.0

ip acce 101 in

I have just done this with a single access list that will block traffic either way to keep things simple.

There are other ways it can be done, but an access list is simpler.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Francois Tallet
Level 7
Level 7

‎10-11-2007 09:55 PM

To put it short... no. Right now, your two pcs are isolated at layer 2. Private vlan was designed to provide the same isolation from within the same vlan (i.e. A & B would both be in vlan 5, but they still would not be able to communicate directly at L2, as if they were on the different vlans). The reason for this feature is that if you want to isolate 10 hosts by segregating in 10 different vlans, you need 10 IP subnets and you will potentially waste a large range of IP addresses that will be unused on each of them. With private vlan, you just need one subnet for all your segregated hosts.

If you want to isolate A & B at L3, in your scenario as well as with private vlan, you'll need some L3 access lists.

Regards,

Francois

Go to solution
hi.622823
Level 1
Level 1
In response to Francois Tallet

‎10-11-2007 11:38 PM

Hi Francois,

Okay, let's forget about private vlans.

In the given scenario, let's say we have some subinterfaces on the router port connected to the switch (eg eth0.5, ip 192.168.5.1/24 and eth0.10, ip 192.168.10.1/24), but NO trunking encapsulation defined. pc A's default gateway is 192.168.5.1/24, and for pc B it's 192.168.10.1/24.

Will this solve the problem? If not, what is needed to achieve the goal for the given scenario?

Thanks.

0 Helpful

Go to solution
paul.matthews
Level 5
Level 5
In response to hi.622823

‎10-11-2007 11:56 PM

Without truniking, neither will work.

The way to do this will be with access lists

access-list 101 de ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 de ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 pe ip any any

int eth0.5

enc dot1q 5

ip add 192.168.5.1 255.255.255.0

ip acce 101 in

int eth0.10

enc dot1q 10

ip 192.168.10.1 255.255.255.0

ip acce 101 in

I have just done this with a single access list that will block traffic either way to keep things simple.

There are other ways it can be done, but an access list is simpler.

0 Helpful

Go to solution
hi.622823
Level 1
Level 1
In response to paul.matthews

‎10-12-2007 12:31 AM

Paul,

Thanks for your response. I see that the above configuration will solve the problem in my post.

Just as a follow up, it seems to me that access-lists are not a scalable solution. If you agree, could you perhaps suggest an alternate methodology?

0 Helpful

Go to solution
paul.matthews
Level 5
Level 5
In response to hi.622823

‎10-12-2007 12:44 AM

It depends on how far you want to go. Access lists would be awkward if you were trying to protect hundreds of VLANS, but they could be made simpler with careful address scheme design - if this router had 100 VLANs all using RFC1918 addressing, and you wanted to prevent any VLAN talking to another, but allow them all out to talk to real internet addresses, an access list that blocks RFC1918 to RFC1918 addressing would be a simple access list applied inbound on all local interfaces.

VRF may be a more scaleable soultion, but it would have to be planned from the start. Ypu would also need to make sure all the support staff understood VRF. Anyone working on live Cisco kit should understand ACLs, so when someone has a problem 3am Sunday morning it can be sorted by the staff on shift. Do something ike VRF without training the staff and guess who's getting a 3am call!

0 Helpful

Go to solution
Francois Tallet
Level 7
Level 7
In response to hi.622823

‎10-12-2007 08:35 AM

The scalability will depend on how many such subnets you can summarize in a single access list. That might be where private vlan could help;-) With private vlans, you don't need many subnets. In fact, you could have all your hosts on a single subnet, in a single private vlan and thus use a single access list.

Regards,

Francois

0 Helpful

Go to solution
hi.622823
Level 1
Level 1
In response to Francois Tallet

‎10-13-2007 01:03 AM

Okay, let's re-work the scenario for private vlans. So would pc A and B be in a secondary vlan, and the switchport connected to the router a promiscious vlan?

0 Helpful

Go to solution
cuijian.vip
Level 1
Level 1
In response to hi.622823

‎10-13-2007 03:52 PM

For the PVLAN,The switchport connected to the router is Trunk. pcA and pcB is in isolated mode.

0 Helpful

Go to solution
hi.622823
Level 1
Level 1

‎10-12-2007 12:55 AM

Thanks everyone for your replies.

0 Helpful
Customers Also Viewed These Support Documents