Vlan isolated from rest of network

Jah8887 · ‎04-19-2018

Hi all,

I am in the process of isolating a Vlan from the rest of the network. I only want this Vlans end devices to be able to go to the internet and nothing else. I have looked at the GUI for private Vlan creation but I was also wondering if it would be easier to make an ACL instead? I have attached the switches configuration.

Vlan 1 - Internal

Vlan 9 - Testing needs isolating and connection to internet only.

Vlan 10 - Public

config-file-header
BSW2
v2.3.0.130 / RLINUX_913_193
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type unit 2 network gi uplink te
unit-type unit 3 network gi uplink te
unit-type unit 4 network gi uplink te
unit-type unit 5 network gi uplink te
unit-type unit 6 network gi uplink te
unit-type unit 7 network gi uplink te
unit-type unit 8 network gi uplink te
unit-type-control-end
!
vlan database
vlan 9-10
exit
interface vlan 1
private-vlan primary
exit
interface vlan 9
private-vlan isolated
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server
ip dhcp pool network Testing
address low 192.168.9.50 high 192.168.9.54 255.255.255.0
lease 8
dns-server 208.67.222.222
exit
ip dhcp pool network "Pub Wireles"
address low 192.168.10.140 high 192.168.10.160 255.255.255.0
lease 8
default-router 192.168.10.3
dns-server 208.67.222.222
exit
bonjour interface range vlan 1
hostname BSW2
line console
exec-timeout 5
exit
line ssh
exec-timeout 5
exit
line telnet
exec-timeout 5
exit
username -------- password encrypted 6ca1abfa2ab82599f5277ec0a5786098feb01bb4 privilege 15
ip ssh server
ip http timeout-policy 300
ip domain name -----------
ip name-server 208.67.222.222
!
interface vlan 1
name Internal
no ip address dhcp
private-vlan association add 9
!
interface vlan 9
name Testing
!
interface vlan 10
name "Public Poe"
ip address 192.168.10.150 255.255.255.0
!
interface GigabitEthernet1/0/1
spanning-tree link-type point-to-point
switchport access vlan 10
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/2
spanning-tree link-type point-to-point
switchport access vlan 10
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/3
switchport access vlan 10
!
interface GigabitEthernet1/0/4
spanning-tree link-type point-to-point
switchport access vlan 10
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/5
switchport access vlan 9
switchport trunk native vlan none
!
interface GigabitEthernet1/0/6
switchport access vlan 9
switchport trunk native vlan none
!
interface GigabitEthernet1/0/10
spanning-tree link-type point-to-point
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/11
spanning-tree link-type point-to-point
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/12
spanning-tree link-type point-to-point
switchport protected-port
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/13
switchport access vlan 10
!
interface GigabitEthernet1/0/14
switchport access vlan 10
!
interface GigabitEthernet1/0/15
switchport access vlan 10
!
interface GigabitEthernet1/0/16
switchport access vlan 10
!
interface GigabitEthernet1/0/17
spanning-tree link-type point-to-point
switchport access vlan 9
switchport trunk native vlan none
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/18
switchport access vlan 9
switchport trunk native vlan none
!
interface GigabitEthernet1/0/23
spanning-tree link-type point-to-point
switchport general allowed vlan add 9 tagged
switchport trunk native vlan none
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/24
storm-control broadcast level 10
spanning-tree link-type point-to-point
switchport trunk allowed vlan remove 1-8,11-4094
macro description router
macro auto smartport type router $native_vlan 9
!
interface TengigabitEthernet1/0/1
spanning-tree link-type point-to-point
switchport access vlan none
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface TengigabitEthernet1/0/2
description "Trunk BSW1 to BSW2"
switchport mode trunk
switchport trunk native vlan none
no macro auto smartport
!
exit
macro auto enabled
macro auto processing type ip_phone disabled
ip default-gateway 192.168.10.3

Dennis Mink · ‎04-19-2018

apply an ACL to the SVI of the VLAN you want to to isolate, put your deny statements at the top (so deny traffic to the other VLANs/subnets) and finish with a permit ip any any to allow all other traffic

Please remember to rate useful posts, by clicking on the stars below.

Deepak Kumar · ‎04-20-2018

Hi,

VACL will also resolve your issue. Only need to handle carefully if you are not expert in ACL.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Jah8887 · ‎04-22-2018

Thanks for the assistance. I by no means am an expert on ACLs, so I went into the switch GUI and created a basic ACL which Vlan 1 and 10 cant ping Vlan 9. Seems to be working so far and now I am working on filtering Vlan 9 with our ASA.