Isolating subnet

I have a stacked cisco 3750X as our main layer3 distribution switch.
It has about a dozen vlans defined. We'd like to isolate one subnet for use in our public conference rooms & common areas. This vlan will be trunked to multiple access layer switches.

The isolated subnet will be 10.32.41.0/24. This subnet should be able to get out to the internet but not be able to hit anything on the internal network except for DHCP & DNS - 10.32.0.13 & 10.32.0.10 (ideally).

What's the best way to implement this?
I'm concerned if we do private vlans I may need to reconfigure all other vlans to be promiscuous? I still want all vlans to be able to communicate with each other except the 41.
Rally_ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MattCommented:
You should create inbound and outbound access list, attached to this VLAN for subnet 10.32.41.0/24.

Inbound should permit only dhcp traffic, outbound dhcp request (any to dhcp server - you can't fix this on ip address because client wil not get ip address until the contact with DHCP server is established), outbound deny to all private networks, at the end of the outbound list "permit ip 10.32.41.0/24 any".

You create ACL on L3 switch, in your case 3750. For access switches on L2 you don't need to do anything.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rauenpcCommented:
Another way to handle it is to make the public vlan a layer 2 only vlan on the switches. Have that layer 2 vlan dump into your firewall. From there, it is up to your firewall to provide DHCP/DNS or at least allow access to those resources. As long as the firewall is the only layer 3 network device on that vlan, public users won't have a way to get at your internal network.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
TCP/IP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.