https://community.cisco.com/t5/network-management/network-isolation/m-p/5239764#M160661 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1825952">@dipakchaulagain525</a>&nbsp;</P> <P>Private VLANs are an excellent way to isolate devices within the same VLAN at Layer 2. PVLANs support different port types, such as isolated ports, which restrict devices from communicating with each other while allowing access to shared resources (e.g., a gateway or server). Community ports can be used for devices that need limited group-based communication. This would allow you to maintain your current IP addressing scheme while isolating traffic efficiently...</P> <P>Also, a Network Access Control (NAC) system can help enforce Zero Trust policies by authenticating and authorizing devices before they are allowed onto the network. Solutions like <EM>Cisco ISE&nbsp;</EM>can dynamically assign access controls to devices based on their identity, posture, or role. NAC systems can also enforce segmentation by dynamically applying VLAN assignments or access policies to devices, ensuring they can only communicate with authorized endpoints.</P> <P>&nbsp;</P> Sun, 22 Dec 2024 08:46:05 GMT M02@rt37 2024-12-22T08:46:05Z https://community.cisco.com/t5/network-management/network-isolation/m-p/5239751#M160660 <P>Hi,<BR />I work as an IT engineer in a company with 200-500 employees, and I want to implement some concept of a zero trust model at the company network level. Currently, there are different networks with subnet of 255.255.255.0 for servers, databases, management, and user departments. But I want to make sure that even the devices on the same subnet could not communicate or reach each other, and only the permitted device can communicate with the other device. I can't create each subnet for a server or user device, as the amount and count would be large and complicated to manage. Is there any solution for this?<BR />Or is there a method that can be implemented on a large scale so that I can allow or deny the communication on the L2 level as well?<BR /><BR />Thank you.</P> Sun, 22 Dec 2024 05:36:00 GMT https://community.cisco.com/t5/network-management/network-isolation/m-p/5239751#M160660 dipakchaulagain525 2024-12-22T05:36:00Z https://community.cisco.com/t5/network-management/network-isolation/m-p/5239764#M160661 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1825952">@dipakchaulagain525</a>&nbsp;</P> <P>Private VLANs are an excellent way to isolate devices within the same VLAN at Layer 2. PVLANs support different port types, such as isolated ports, which restrict devices from communicating with each other while allowing access to shared resources (e.g., a gateway or server). Community ports can be used for devices that need limited group-based communication. This would allow you to maintain your current IP addressing scheme while isolating traffic efficiently...</P> <P>Also, a Network Access Control (NAC) system can help enforce Zero Trust policies by authenticating and authorizing devices before they are allowed onto the network. Solutions like <EM>Cisco ISE&nbsp;</EM>can dynamically assign access controls to devices based on their identity, posture, or role. NAC systems can also enforce segmentation by dynamically applying VLAN assignments or access policies to devices, ensuring they can only communicate with authorized endpoints.</P> <P>&nbsp;</P> Sun, 22 Dec 2024 08:46:05 GMT https://community.cisco.com/t5/network-management/network-isolation/m-p/5239764#M160661 M02@rt37 2024-12-22T08:46:05Z https://community.cisco.com/t5/network-management/network-isolation/m-p/5239770#M160662 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1825952">@dipakchaulagain525</a>&nbsp;</P> <P>Best solution for network segmentation at layer2 level now a days is DNAC with ISE, or ISE alone. Hawever, hard to justify such investiment for a small to middle size Company.</P> <P>&nbsp;But, If investiment is not a problem, ISE is the best option.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 22 Dec 2024 09:42:40 GMT https://community.cisco.com/t5/network-management/network-isolation/m-p/5239770#M160662 Flavio Miranda 2024-12-22T09:42:40Z