Isolating Users in the Same VLAN and Enabling Partial VLAN Connectivity

Scenario 1: Isolating Users Within the Same VLAN

If you do not want certain users in the same VLAN to communicate, you can achieve it by configuring port isolation.

The following experiment demonstrates how to implement port isolation: three PCs belong to the same VLAN and subnet. After configuration, all three PCs can communicate; the requirement is that PC1 and PC2 cannot communicate, while PC1‑PC3 and PC2‑PC3 can.

Configuration steps are shown below:

Verification results:

PC1 ping PC2 – unreachable.

PC1 ping PC3 – reachable.

Configuration succeeded.

Scenario 2: Partial VLAN Inter‑communication and Isolation Using MUX VLAN

MUX VLAN is applicable only in Layer‑2 networks for inter‑communication and isolation of users in the same subnet.

MUX VLAN consists of Principal VLAN and Subordinate VLAN; the Subordinate VLAN can be Separate VLAN or Group VLAN.

Principal VLAN can communicate with all VLANs.

Group VLAN can communicate with Principal VLAN and devices within the same VLAN.

Separate VLAN can only communicate with Principal VLAN; devices within the VLAN cannot communicate with each other.

The example below shows how to use MUX VLAN to meet the following requirements: all PCs can access the server (VLAN20 and VLAN30 can access VLAN10); PC1 and PC2 can communicate, but not with PC3/PC4; PC3 and PC4 cannot communicate with each other.

Detailed configuration steps:

Verification:

All PCs can reach the server in the Principal VLAN.

PC1 ping Server – successful.

PC3 ping Server – successful.

Group VLAN PCs can communicate with each other but not with Separate VLAN PCs.

PC1 ping PC2 – successful.

PC1 ping PC3 – unsuccessful.

Separate VLAN PCs are isolated:

PC3 ping PC4 – unsuccessful.

Scenario 3: Isolating Specific VLANs or Users After Inter‑VLAN Connectivity Using Flow Policies

The flow‑policy technology is not described in detail here; refer to the QoS manual for more information. The example below shows how to isolate traffic using ACLs and flow policies.

Topology: FTP Server is in 192.168.1.0/24, PC1/PC2 in 192.168.10.0/24, PC3/PC4 in 192.168.20.0/24. All VLANs are already interconnected via VLANIF interfaces.

Gateways are set accordingly. All devices can ping each other, e.g., PC1 can ping the FTP Server.

Requirement: PCs in VLAN20 (PC3, PC4) may access the FTP Server, while PCs in VLAN10 (PC1, PC2) must be blocked.

Configure ACL and flow policy on SwitchA to deny traffic from 192.168.10.0/24 to the FTP Server. Configuration steps:

Verification shows PC1 cannot ping the FTP Server, while PC3 can.

PC3 ping FTP Server – successful.

Configuration succeeded.

PS: Using ACLs and flow policies to isolate VLANs is very flexible and can also isolate a single user by matching its IP address.