topic Client Isolation in Endpoint Security https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403039#M6136 <P>Dear all,</P><P>&nbsp;</P><P>Could you please advise me client isolation examples in catalyst switch?</P><P>Can I achieve it with vlan access map for example first 50 IPs are servers and rest are client machines?</P><P>Maybe better&nbsp; ways?</P><P>&nbsp;</P><P>Please advise me some examples.</P><P>&nbsp;</P><P>Thank you.</P><P>Isac</P> Fri, 14 May 2021 10:39:07 GMT Izac ICT 2021-05-14T10:39:07Z Client Isolation https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403039#M6136 <P>Dear all,</P><P>&nbsp;</P><P>Could you please advise me client isolation examples in catalyst switch?</P><P>Can I achieve it with vlan access map for example first 50 IPs are servers and rest are client machines?</P><P>Maybe better&nbsp; ways?</P><P>&nbsp;</P><P>Please advise me some examples.</P><P>&nbsp;</P><P>Thank you.</P><P>Isac</P> Fri, 14 May 2021 10:39:07 GMT https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403039#M6136 Izac ICT 2021-05-14T10:39:07Z Re: Client Isolation https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403049#M6137 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/314828">@Izac ICT</a>&nbsp;</P> <P>It depends on what exact hardware you have, but yes you could use a VLAN ACL (VACL) or alternatively you could use TrustSec. Typically TrustSec is deployed and managed via ISE, but you can configure locally on the switch without using ISE.</P> Fri, 14 May 2021 11:46:49 GMT https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403049#M6137 Rob Ingram 2021-05-14T11:46:49Z Re: Client Isolation https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403099#M6138 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;</P><P>Do you have any trustsec examples to guide me or any links?</P><P>&nbsp;</P><P>THank you.</P><P>Isac</P> Fri, 14 May 2021 13:39:22 GMT https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403099#M6138 Izac ICT 2021-05-14T13:39:22Z Re: Client Isolation https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403106#M6139 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/314828">@Izac ICT</a>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html</A></P> <P><A href="https://community.cisco.com/t5/security-documents/trustsec-troubleshooting-guide/ta-p/3647576" target="_blank">https://community.cisco.com/t5/security-documents/trustsec-troubleshooting-guide/ta-p/3647576</A></P> <P>&nbsp;</P> Fri, 14 May 2021 13:50:30 GMT https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4403106#M6139 Rob Ingram 2021-05-14T13:50:30Z Re: Client Isolation https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4404030#M6140 <P>&nbsp;</P><P>I've read them but they are too general. What I need is in 192.168.33.0/24 subnet, allow access to server IPs&nbsp;192.168.33.1-70 and block rest (192.168.33.71-255) to talk each other in VLAN33. Of course it would be great to allow access to fileserver on only SMB port etc.</P><P>&nbsp;</P><P>Can it be achieved with trustsec, any example?</P><P>&nbsp;</P><P>I'm sorry for asking example because I worked mostly on routing in Cisco and security on Juniper only.</P> Mon, 17 May 2021 12:59:52 GMT https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4404030#M6140 Izac ICT 2021-05-17T12:59:52Z Re: Client Isolation https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4404089#M6142 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/314828">@Izac ICT</a>&nbsp;Other than the cisco guides there isn't much information for a manual implementation of trustec (short of writing it myself), most examples are for management via ISE. Perhaps use a VACL, in which case here is an example:-</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/503_u2_2/b_Cisco_n3k_security_cg_503_u2_2_chapter_01001.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/503_u2_2/b_Cisco_n3k_security_cg_503_u2_2_chapter_01001.html</A></P> <P><A href="https://ciscoskills.net/2017/11/20/vlan-access-lists-vacls/" target="_blank">https://ciscoskills.net/2017/11/20/vlan-access-lists-vacls/</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 17 May 2021 14:03:55 GMT https://community.cisco.com/t5/endpoint-security/client-isolation/m-p/4404089#M6142 Rob Ingram 2021-05-17T14:03:55Z