Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

cisco vlan isolation

Posted on 2015-02-23
5
Medium Priority
?
93 Views
Last Modified: 2015-11-10
I need to create a acl list that will apply to my guest vlan that is already setup for wifi,  I uses aerohive.  What i need is to apply a vlan to a switch port so i can plug a computer in and isolate that computer form the whole network except dhcp requests from a internal server.   Out bound and inbound i do not need a port restrictions from the internet

so my vlan in question is vlan 23   ip range it uses is 172.16.0.0

How do i do it...

Thanks

I have seen lots of articles on this but not the definitive answer and commands to enter.
0
Comment
Question by:ckness
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 6

Accepted Solution

by:
rgorman earned 668 total points
ID: 40627036
Just so I am clear on what you want to do...

Your guest VLAN 23 is configured to use subnet 172.16.0.0 so I am assuming the gateway for the hosts on that network would be something like 172.16.0.1?  Also, what mask are you using?  I am also assuming you have 172.16.0.1 as the IP address for the VLAN interface on that switch and it is configured to allow routing.  What is the switches default route currently?  I would assume it would be another VLAN that the Internet router is connected to and the LAN IP of that router.  I would also assume you have the routing working so your regular LAN traffic routes through a VLAN interface on the same switch before routing to the VLAN where the Internet router is.  If it is setup that way (3 VLAN's) then it should be fairly easy to add an ingress access list to the VLAN 23 interface that denies traffic from source 172.16.0.0 to your LAN subnet but add exceptions for DHCP/BOOTP.  You may also want to block LAN to 172.16.0.0 through an ingress access list on the LAN VLAN interface.
0
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 668 total points
ID: 40627464
To block all access VLAN 23 to any of your networks you can use this ACL. But in this case other members of VLAN 23 can access to each VLAN  23 host. No need for more configuration - DHCP works. Basically you deny access to any private address space from that VLAN.

access-list 100 deny ip 172.16.0.0  0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 deny ip 172.16.0.0  0.0.0.255 172.16.0.0 0.15.255.255
access-list 100 deny ip 172.16.0.0  0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip any any

int vlan 23
ip access-group 100 in

Is that all you need or you want to isolate that host from other hosts on VLAN 23 too?
0
 
LVL 6

Assisted Solution

by:Matt
Matt earned 664 total points
ID: 40627565
This is an example from one of my clients - Guest with limitations.

LAN 172.16.23.0, mask 255.255.255.0, gateway 172.16.23.1

interface Vlan23
 description Guest LAN
 ip address 172.16.23.1 255.255.255.0
 ip access-group GUEST_access_in in

 
ip access-list extended GUEST_access_in
 remark ACL for VLAN GUEST
 remark Block traffic to private networks
 deny   ip 172.16.23.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny   ip 172.16.23.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 172.16.23.0 0.0.0.255 224.0.0.0 15.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 240.0.0.0 15.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 0.0.0.0 0.255.255.255
 deny   ip 172.16.23.0 0.0.0.255 169.254.0.0 0.0.255.255
 deny   ip 172.16.23.0 0.0.0.255 192.0.2.0 0.0.0.255
 deny   ip 172.16.23.0 0.0.0.255 127.0.0.0 0.255.255.255
 remark Allowed DHCP
 permit udp any any eq bootps
 remark Allowed traffic
 permit tcp 172.16.23.0 0.0.0.255 any eq www
 permit tcp 172.16.23.0 0.0.0.255 any eq 443
 permit tcp 172.16.23.0 0.0.0.255 any eq ftp-data
 permit tcp 172.16.23.0 0.0.0.255 any eq ftp
 permit tcp 172.16.23.0 0.0.0.255 any eq 22
 permit tcp 172.16.23.0 0.0.0.255 any eq 465
 permit tcp 172.16.23.0 0.0.0.255 any eq 587
 permit tcp 172.16.23.0 0.0.0.255 any eq 993
 permit tcp 172.16.23.0 0.0.0.255 any eq 995
 permit udp 172.16.23.0 0.0.0.255 any eq domain
 permit udp 172.16.23.0 0.0.0.255 any eq ntp
 remark Allowed outside VPN
 remark VPN-> PPTP
 permit tcp 172.16.23.0 0.0.0.255 any eq 1723
 permit gre 172.16.23.0 0.0.0.255 any
 remark VPN-> L2TP - IPSec
 permit udp 172.16.23.0 0.0.0.255 any eq isakmp
 permit udp 172.16.23.0 0.0.0.255 any eq non500-isakmp
 remark VNC
 permit tcp 172.16.23.0 0.0.0.255 any eq 5900
 remark Apple
 permit tcp 172.16.23.0 0.0.0.255 17.0.0.0 0.255.255.255 eq 5223
 permit udp 172.16.23.0 0.0.0.255 17.0.0.0 0.255.255.255 range 16384 16403
 remark Amazon
 permit tcp 172.16.23.0 0.0.0.255 54.240.0.0 0.15.255.255 eq 5223
 permit tcp 172.16.23.0 0.0.0.255 46.51.128.0 0.0.63.255 eq 5223
 permit tcp 172.16.23.0 0.0.0.255 46.137.0.0 0.0.255.255 eq 5223
 permit tcp 172.16.23.0 0.0.0.255 23.20.0.0 0.3.255.255 eq 4244
 permit tcp 172.16.23.0 0.0.0.255 23.20.0.0 0.3.255.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 50.16.0.0 0.3.255.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 75.101.128.0 0.0.127.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 107.20.0.0 0.3.255.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 174.129.0.0 0.0.255.255 eq 5242
 permit tcp 172.16.23.0 0.0.0.255 176.34.0.0 0.0.255.255 eq 5223
 permit tcp 172.16.23.0 0.0.0.255 184.72.0.0 0.1.255.255 eq 4244
 remark Facebook
 permit tcp 172.16.23.0 0.0.0.255 object-group FACEBOOK gt 1024 log
 remark Android Market
 permit tcp 172.16.23.0 0.0.0.255 any eq 5228
 permit udp 172.16.23.0 0.0.0.255 any eq 5228
 remark XMPP
 permit tcp 172.16.23.0 0.0.0.255 any eq 5222
 remark Allowed traffic for Web Services Dynamic Discovery
 permit udp 172.16.23.0 0.0.0.255 host 239.255.255.250 eq 3702
 remark UPnP
 permit udp 172.16.23.0 0.0.0.255 host 239.255.255.250 eq 1900
 remark Viber
 permit tcp 172.16.23.0 0.0.0.255 any eq 4244
 permit tcp 172.16.23.0 0.0.0.255 any eq 5242
 permit udp 172.16.23.0 0.0.0.255 any eq 5243
 permit udp 172.16.23.0 0.0.0.255 any eq 7985
 remark ICMP traffic
 permit icmp 172.16.23.0 0.0.0.255 any echo
 permit icmp 172.16.23.0 0.0.0.255 any echo-reply
 remark Blocked traffic
 deny   ip any any log
0
 
LVL 7

Expert Comment

by:Daniel Sheppard
ID: 40628931
I am confused as to what you are attempting to accomplish here, you mention ACL and in the same sentence you mention you need to apply a VLAN to a specific port.

In isolating a specific port from the rest of a layer 2 network, it really isn't possible to do it (unless you block it with a layer 2 ACL and filter by MAC addresses, but then you can't achieve the second requirement of allowing DHCP).

You can filter at the router, however anything connected to the same network segment (subnet) can still access that computer unless you are using Cisco's private Vlan functionality.

IF you are blocking at the router, the above configurations will work.  IF you need more fine grained control, I would recommend moving to a separate VLAN for your device.
0
 

Author Comment

by:ckness
ID: 41221966
I've requested that this question be deleted for the following reason:

old
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question