SOLVED
Hello!
Isolating the host in its own VLAN is a good solution, but it won't protect your main VLAN on its own. You will still need a packet filter applied to block inter-VLAN routing. Also, you will need to make configuration changes in your DHCP server (that PC should still be able to get an IP, Def GW and DNS after all), change NAT rules in your border router etc. etc.
Taking all that into account, why just not leave that host inside your main VLAN, but forbid it accessing everything except local DHCP and remote Internet? For this task, you can create an advanced ACL that will do the following (below is just an idea of ACL rules, not exact commands, as this switch is Web-managed):
rule 0 permit udp destination: dhcp server, destination port: 67 (if needed, but if you use static IP and DNS settings on that server, skip this rule)
rule 10 deny ip destination: VLAN's subnet (for example if your subnet is 192.168.10.0/24, then ACL rule should use destination IP 192.168.10.0 and wildcard mask 0.0.0.255)
rule 20 permit ip any (permit all other traffic)
Then use Packet Filter feature and just apply this ACL in incoming direction to the port where your conference room PC is connected.
That ACL will scan all incoming (from the PC's perspective it will be outgoing) traffic on that switch port and will allow only DHCP messages to the local DHCP server (rule 0) and connections outside your main VLAN (rule 20). Rule 10 will drop all the traffic to the local VLAN. However, be careful if DNS server that PC uses is inside your main VLAN, if so you will need additional rule 5 (as it must be between rule 0 and rule 10) to allow UDP traffic to that server with destination UDP port 53.
I see that as the simplest solution.
Hi! another possible approach would be falling back to a pure VLAN tagged mode for any traffic that belongs to that particular host on that particular port of that particular VLAN, this approach has advantages and disadvantages:
Advantages:
- No ACL are required at Layer 3 Switch level
- No IP routing (from the host perspective) is needed on the Layer 3 Switch to which the host could be (directly or indirectly) connected
- The host's traffic will not partecipate to routing performed Layer 3 Switch
- The ACL and Routing should happen at your Internet Gateway (Router/Firewall)
- On the switching infrastructure you just need to define and transport the dedicated VLAN where it is used (on the access port where the host is connected, eventually through intermendiate switch as tagged, and between the Internet Gateway port facing your switching infrastructure and its proximity switch).
Disadvantages:
- You need to transport (tagged) the dedicated VLAN used for that particular host to the Internet Gateway
- The above means that on you're transferring the duties of IP Routing and ACL for that VLAN on your Internet Gateway
- Additionally - if no changes are admitted on the peer ports (Switch/Internet Gateway) - you can physicall add another interconnection = cable between your Internet Gateway and its peer switch (if ports are available, Switch and Internet Gateway sides) and use that connection to carry only the dedicated VLAN (in any case IP Routing and ACL are required for that VLAN on the Internet Gateway).
The host, isolated into its dedicated VLAN (defined into both the switch infrastructure, where it was needed, and on the Internet Gateway on a shared or dedicated LAN port), will see only logically see the Internet Gateway as its default gateway...all the control happens at Internet Gateway level for such VLAN.
I'm not an HPE Employee
Hello!
Rule 0 will allow the conference room PC to access the server only using UDP protocol with destination port 67 and nothing more. It is the port on which DHCP service of the Windows server is listening.
Rule 5 will allow that PC to send DNS requests on UDP port 53.
These are the only ports and respectively services which that PC can access. Login to the domain (Kerberos on port TCP:88), SMB shares (TCP and UDP ports 137, 138, 138, 445) will be blocked. Everythig will be blocked, even pings
BTW, since that PC should be really isolated, I see no reason to use your Windows domain controller as DNS and even as DHCP, you can simplify the setup and use static IP on it with public DNS, like 1.1.1.1 or 8.8.8.8 Then the ACL can be simplified:
rule 10 deny ip destination: VLAN's subnet (for example if your subnet is 192.168.10.0/24, then ACL rule should use destination IP 192.168.10.0 and wildcard mask 0.0.0.255)
rule 20 permit ip any (permit all other traffic)
That will drop ALL traffic to the local subnet with no exceptions and allow everything else, e.g. Internet access.
BTW, in order to test your setup, after configuring that ACL, try to run a port scan from that PC against your Windows server in order to confirm everything is really blocked. I personally prefer nmap for such tasks, but you can use any similar tool for the confirmation.