03-18-2021 12:03 PM
Hi,
we are managing multiple office which ask for Public IPs (if required by them). we have pool of multiple public IP addresses and we give them the IP from the pool to use them on their router on their end. we have 2 vlans setup on our layer 3 switch, Public vlan 200 and private vlan 50 which has dhcp running. Main gateway connection is coming from ISP switch port to our switch.
Now my question is: one of the user in public vlan has bunch of public IPs from us and we want to isolate them within the vlan 200 using private vlan.
where should I start? If I make vlan 200, primary for private vlan, will it create any disconnection in our current setup? I am also remote and my connection is also coming from vlan 200. Can I make changes in current setup of if I have to start from scretch by going onsite?
I hope I am able to clarify my question, thanks
Solved! Go to Solution.
03-21-2021 04:42 PM - edited 03-21-2021 04:48 PM
Hello
@Talha wrote:
case here is a client in vlan 200 wants to isolate himself from other clients in same vlan 200
Try the following vlan access map example:
access-list 101 permit ip host 200.0.0.1 200.0.0.0 0.0.0.255
access-list 101 permit ip 200.0.0.0 0.0.0.255 host 200.0.0.1
vlan access-map Vl200_host
match ip address 101
action drop
vlan access-map Vl200_host 99
vlan filter Vl200_host vlan-list 200
03-18-2021 02:29 PM
Hello Talha
Based on you description and request its not PVLAN you require but a security policy to deny certain pubic hosts from accessing your vlan 50 - Would this be correct or is it that you are actually running PVLAN at this time?
03-18-2021 04:19 PM - edited 03-18-2021 04:22 PM
hi Paul,
Apologies , if I couldn't describe my case properly but actually the case here is a client in vlan 200 wants to isolate himself from other clients in same vlan 200 and I am thinking to configure Pvlan to isolate him. He ran a security vulnerability check and his check is picking up other Public IPs in our public Vlan. Please ignore vlan 50 as I just added it to give you an idea about our network. I am attaching a basic diagram here as well of our network. What are my options? I thought a Pvlan will do the job! but I am not sure where to start in my current scenario.
03-21-2021 04:42 PM - edited 03-21-2021 04:48 PM
Hello
@Talha wrote:
case here is a client in vlan 200 wants to isolate himself from other clients in same vlan 200
Try the following vlan access map example:
access-list 101 permit ip host 200.0.0.1 200.0.0.0 0.0.0.255
access-list 101 permit ip 200.0.0.0 0.0.0.255 host 200.0.0.1
vlan access-map Vl200_host
match ip address 101
action drop
vlan access-map Vl200_host 99
vlan filter Vl200_host vlan-list 200
03-22-2021 02:51 AM
03-22-2021 03:50 AM - edited 03-22-2021 03:52 AM
Hello
Just amend the acl to accomodate.( please make sure the acl number is not already being used!)
Example:
access-list 101 permit ip host 207.x.x.89 207.0.0.0 0.0.255.255
access-list 101 permit ip 207.x.x.0 0.0.255.255 host 207.x.x.89
access-list 101 permit ip host 207.x.x.90 207.0.0.0 0.0.255.255
access-list 101 permit ip 207.x.x.0 0.0.255.255 host 207.x.x.90
etc..
03-22-2021 05:33 AM - edited 03-22-2021 05:48 AM
sure thanks, let me give it a try with Reload at command in case.
And can you tell what is 99 here in this line below that you wrote earlier? Also in the wild card mask is different from earlier reply, is it deliberate?
vlan access-map Vl200_host 99
03-22-2021 05:48 AM
Hello
Its a catch all stanza ( IE: permit ip any any)
03-22-2021 06:30 AM
I see ok.
Can you please also confirm the wild card mask in the ACLs, should it be 0.0.0.255 or 0.0.255.255? thanks
03-22-2021 06:34 AM
Hello
@Talha wrote:
207.x.x.89 to 207.x.x.93 in a 16 ip pool then how will this vlan filter look like? Should i then add each ip in
Can you please also confirm the wild card mask in the ACLs, should it be 0.0.0.255 or 0.0.255.255? thanks
207.x.x.0/16 = 207.x.x.0 0.0.255.255
03-22-2021 06:40 AM
Sorry just verified, its a pool of 32 ip address with subnet of 255.255.255.224
03-22-2021 06:47 AM
Hello
Okay then the acl will need to be changed to accomodate a /27 subnet and which ever range those hosts reside in?
207.x.x.0/27 = 207.x.x.0 0.0.0.31
207.x.x.32/27 = 207.x.x.32 0.0.0.31
207.x.x.64/27 = 207.x.x.64 0.0.0.31
207.x.x.96/27 = 207.x.x.96 0.0.0.31
etc...
03-22-2021 06:50 AM
thanks alot Paul, will try it and follow up
03-22-2021 06:57 AM
May be I am over cautious , sorry to bug you here
do I have to explicitly allow gateway as it is part of same pool. What a I understood that we are denying the traffic from his IPs to all vlan 200 network? lets say if gateway is .65, wouldn't it block his internet access?
03-22-2021 07:09 AM
Hello
No just specify the end host ip addressing to from the subent thats it, no need to specify any gateway address just be specific on the host ip addresses
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide