3

How can I set up a switch so that devices on one switch port are isolated from devices on other switch ports? I'm guessing this should be done with VLANs, but I'm open to other options as well.

Example Switch:

  • Port 1: Connection to Router
  • Port 2: Device that should be isolated.
  • Port 3-8: Regular devices (should communicate).

All devices (including the isolated one) should be able to access the Internet through the router.

No inter-VLAN communication is required at all. The VLANs should be completely blocked from communication with each other.

Improve this question

1 Answer 1

Reset to default
3

You can configure two VLANs, and place an ACL on the router to prevent traffic between the separate VLANs.

You didn't give us the switch and router models, so we can't give you specifics, but you will need to configure the link between the switch and router as a trunk, and you will need to create virtual/subinterfaces for each VLAN. Each VLAN will have a different network, so you will need to configure NAT for each network to the Internet. You will also create an ACL for each VLAN that denies traffic to the other network.

Improve this answer
6
  • Thanks for the answer! Just wondering, since I'm new to VLANs, why the communication has to go all the way up to the router. Since VLANs can't communicate by default, is this just to allow the router to tag the packets on the way back down from the WAN?
    – tech4him
    Commented Jan 18, 2018 at 23:23
  • 1
    A VLAN is simply a virtual way to add a switch. In essence, you are making your switch look like two separate, unconnected switches. Traffic on the switch cannot jump from one VLAN to another. A router is required to send traffic between VLANs. The router will do that by default, but you can place ACLs to block that.
    – Ron Maupin
    Commented Jan 18, 2018 at 23:28
  • So, in other words, the router has to understand that it has two "virtual switches" on the one port. If it did not know this, it would send any packets to the switch untagged, and the switch would send them to both VLANs? Is that correct, or am I wildly off here :)?
    – tech4him
    Commented Jan 18, 2018 at 23:31
  • No. The router would sent traffic untagged, and the switch would place it on the native (untagged) VLAN, not both VLANs.
    – Ron Maupin
    Commented Jan 18, 2018 at 23:35
  • 1
    Normally, one of thje VLANs will be a native VLAN, unless you do not do that. The default VLAN is VLAN 1, and it is normally untagged. It can be a security weakness to use VLAN 1 and a native VLAN can be a security weakness, too. Some switches do not allow you to change this, but some, e.g. Cisco, allow you to set what VLANs are allowed on a trunk, so you can not allow VLAN 1 or a native VLAN.
    – Ron Maupin
    Commented Jan 18, 2018 at 23:38

Not the answer you're looking for? Browse other questions tagged or ask your own question.