Quote:
Originally Posted by masraum
VLANs only work if you can put an access-list on the VLANs or you can firewall the VLANs off from each other, otherwise all 3 VLANs will be able to talk to the devices on the other two VLANs.
|
This is true if you run tagged or trunk level VLANs, where each packed is tagged with the VLAN number and every device must be configured to work on the desired VLAN.
However, if you configure port (aka access port) level VLAN as I suggest above, then the router will only send the designated traffic for a given port's VLAN to that port, and it will not route that traffic to any other port. Per my example above, when configured for access port VLANs, port 1 will only see traffic to and from VLAN 1, port 2 will only see traffic to and from VLAN 2, etc. No firewalls or client configuration required.
A port level VLAN is probably the best and certainly the easiest way to conclusively achieve the goals of the OP.
Here is some documentation to back this up:
This page from Cisco Meraki explains in the Best Practices section that an untagged or "access" port accepts traffic for only a single VLAN. No VLAN tagging or firewall required:
https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Design_and_Configure/Configuration_Guides/Routing_and_Firewall/Fundamentals_of_802.1Q_VLAN_Tagging
This page from Ubiquity says that "Trunk ports allow traffic for multiple VLANs, while access ports handle traffic for a single VLAN, ensuring a robust and well-organized network."
https://help.ui.com/hc/en-us/articles/26136855808919-Switch-Port-VLAN-Assignment-Trunk-Access-Ports
This page on VLANs from Cisco says 'An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.'
https://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_1/Cisco_Nexus_5000_Series_Switch_CLI_Software_Config uration_Guide_chapter8.html