Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3000
Views
30
Helpful
18
Replies

Setting up private vlan with our current setup

Go to solution
Talha
Level 1
Level 1

‎03-18-2021 12:03 PM

Hi,
we are managing multiple office which ask for Public IPs (if required by them). we have pool of multiple public IP addresses and we give them the IP from the pool to use them on their router on their end. we have 2 vlans setup on our layer 3 switch, Public vlan 200 and private vlan 50 which has dhcp running. Main gateway connection is coming from ISP switch port to our switch.
Now my question is: one of the user in public vlan has bunch of public IPs from us and we want to isolate them within the vlan 200 using private vlan.
where should I start? If I make vlan 200, primary for private vlan, will it create any disconnection in our current setup? I am also remote and my connection is also coming from vlan 200. Can I make changes in current setup of if I have to start from scretch by going onsite?

 

I hope I am able to clarify my question, thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to Talha

‎03-21-2021 04:42 PM - edited ‎03-21-2021 04:48 PM

Hello

@Talha wrote:

case here is a client in vlan 200 wants to isolate himself from other clients in same vlan 200

Try the following vlan access map example:

access-list 101 permit ip host 200.0.0.1 200.0.0.0 0.0.0.255
access-list 101 permit ip 200.0.0.0 0.0.0.255  host 200.0.0.1 

vlan access-map Vl200_host
match ip address 101
action drop
vlan access-map Vl200_host 99

vlan filter Vl200_host vlan-list 200

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

18 Replies 18

Go to solution
paul driver
VIP
VIP

‎03-18-2021 02:29 PM

Hello Talha
Based on you description and request its not PVLAN you require but a security policy to deny certain pubic hosts from accessing your vlan 50 - Would this be correct or is it that  you are actually running PVLAN at this time?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Talha
Level 1
Level 1
In response to paul driver

‎03-18-2021 04:19 PM - edited ‎03-18-2021 04:22 PM

hi Paul,

Apologies , if I couldn't describe my case properly but actually the case here is a client in vlan 200 wants to isolate himself from other clients in same vlan 200 and I am thinking to configure Pvlan to isolate him. He ran a security vulnerability check and his check is picking up other Public IPs in our public Vlan. Please ignore vlan 50 as I just added it to give you an idea about our network. I am attaching a basic diagram here as well of our network. What are my options? I thought a Pvlan will do the job! but I am not sure where to start in my current scenario. 

Preview file
16 KB
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Talha

‎03-21-2021 04:42 PM - edited ‎03-21-2021 04:48 PM

Hello

@Talha wrote:

case here is a client in vlan 200 wants to isolate himself from other clients in same vlan 200

Try the following vlan access map example:

access-list 101 permit ip host 200.0.0.1 200.0.0.0 0.0.0.255
access-list 101 permit ip 200.0.0.0 0.0.0.255  host 200.0.0.1 

vlan access-map Vl200_host
match ip address 101
action drop
vlan access-map Vl200_host 99

vlan filter Vl200_host vlan-list 200

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Talha
Level 1
Level 1
In response to paul driver

‎03-22-2021 02:51 AM

Hi Paul,
Thanks for the response
If he has ip 207.x.x.89 to 207.x.x.93 in a 16 ip pool then how will this vlan filter look like? Should i then add each ip in seperate line.
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Talha

‎03-22-2021 03:50 AM - edited ‎03-22-2021 03:52 AM

Hello

Just amend the acl to accomodate.( please make sure the acl number is not already being used!)
Example:

access-list 101 permit ip host 207.x.x.89 207.0.0.0 0.0.255.255
access-list 101 permit ip 207.x.x.0 0.0.255.255  host 207.x.x.89

access-list 101 permit ip host 207.x.x.90 207.0.0.0 0.0.255.255
access-list 101 permit ip 207.x.x.0 0.0.255.255  host 207.x.x.90

etc..


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Talha
Level 1
Level 1
In response to paul driver

‎03-22-2021 05:33 AM - edited ‎03-22-2021 05:48 AM

sure thanks, let me give it a try with Reload at command in case.
And can you tell what is 99 here in this line below that you wrote earlier? Also in the wild card mask is different from earlier reply, is it deliberate?

vlan access-map Vl200_host 99

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Talha

‎03-22-2021 05:48 AM

Hello

Its a catch all stanza ( IE: permit ip any any)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Talha
Level 1
Level 1
In response to paul driver

‎03-22-2021 06:30 AM

I see ok.

Can you please also confirm the wild card mask in the ACLs, should it be 0.0.0.255 or 0.0.255.255? thanks

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Talha

‎03-22-2021 06:34 AM

Hello

@Talha wrote:

207.x.x.89 to 207.x.x.93 in a 16 ip pool then how will this vlan filter look like? Should i then add each ip in

Can you please also confirm the wild card mask in the ACLs, should it be 0.0.0.255 or 0.0.255.255? thanks

207.x.x.0/16  = 207.x.x.0 0.0.255.255 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Talha
Level 1
Level 1
In response to paul driver

‎03-22-2021 06:40 AM

Sorry just verified, its a pool of 32 ip address with subnet of 255.255.255.224 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Talha

‎03-22-2021 06:47 AM

Hello

Okay then the acl will need to be changed to accomodate a /27 subnet and which ever range those hosts reside in?

207.x.x.0/27  = 207.x.x.0 0.0.0.31

207.x.x.32/27  = 207.x.x.32 0.0.0.31

207.x.x.64/27  = 207.x.x.64 0.0.0.31

207.x.x.96/27  = 207.x.x.96 0.0.0.31

etc...


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Talha
Level 1
Level 1
In response to paul driver

‎03-22-2021 06:50 AM

thanks alot Paul, will try it and follow up

0 Helpful

Go to solution
Talha
Level 1
Level 1
In response to paul driver

‎03-22-2021 06:57 AM

May be I am over cautious , sorry to bug you here

 do I have to explicitly allow gateway as it is part of same pool. What a I understood that we are denying the traffic from his IPs to all vlan 200 network? lets say if gateway is .65, wouldn't it block his internet access?

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Talha

‎03-22-2021 07:09 AM

Hello

No just specify the end host ip addressing to from the subent thats it, no need to specify any gateway address just be specific on the host ip addresses


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card