L2 network Isolation Based on VLAN Technology

VLANTechnology divides networks into virtual LAN, which is also used to isolate network broadcast. However, the PC in the same VLAN is still in a broadcast domain, that is, communication between PCs in the same VLAN is unrestricted. In this case, you can use the MAC address-Based Access Control List to perform Layer 2 filtering on each port. The command is as follows ):

Create access list 1100 in global mode:

 
 

  
  
access-list 1100  permit  [Sourcemac]  [Sourcemac-wildcard bits] [Destinationmac]  [Dourcemac-wildcard bits]  
  
  
 
  
  
access-list 1100  deny    [Sourcemac]  [Sourcemac-wildcard bits] [Destinationmac]  [Dourcemac-wildcard bits] 
 
 

Apply access list 1100 to the specified interface in global mode:

 
 

  
  
access-group   mac-acl  1100  in interface [interface name]  
  
  
 
  
  
access-group   mac-acl  1100  in interface [interface name] 
 
 

We can enable the above access list on all interfaces of the vswitch to implement precise MAC-based filtering. However, this method requires you to find the MAC address of each connected PC and enter it in the access list, which is cumbersome. At the same time, there is another drawback: When the PC changes the MAC address, you need to change the access list rules. Otherwise, the rules will not work properly. In addition, in some cases, communication between PCs is not allowed, but all PCs are allowed to communicate with a server or gateway. The topology shows:

The above functions can be implemented using MAC address-based access control, but the operations are cumbersome. In this case, we can use a private VLAN to implement the above functions:

1. Place the switch interfaces connecting servers and routers in VLAN 10, and set VLAN 10 as the main VLAN:

 
 

  
  
switch(Config)#vlan 10  
  
  
 
  
  
switch(Config-Vlan10)#private-vlan primary 
 
 

2. Place the interface of the PC in VLAN 20 and set it as an isolated VLAN:

 
 

  
  
switch(Config)#vlan 20  
  
  
 
  
  
switch(Config-Vlan20)#private-vlan  isolated 
 
 

3. Isolate VLAN 20 in the active VLAN 10 so that interfaces in VLAN 10 can communicate with interfaces in VLAN 20:

 
 

  
  
switch(Config-Vlan10)#private-vlan association 20 
 
 

4. After you install an IP address configuration, the PC cannot communicate with each other, and the gateway and server can communicate with each other.

The L2 network isolation in VLAN technology has been introduced to you. I hope you will have a deep understanding of it.