Block particular traffic between two ports in a switch

senthil1976 · ‎12-21-2008

Two same type of access devices are connected to the two ports of a switch. Uplink of the switch goes to a MPLS edge router. The access devices are shearing some common vlans of edge router. When the devices communicate between each other via common vlans, normally there communicate via switch, the traffic will not go to router. My requirement is to block a particular vlan communication between the access ports.

Giuseppe Larosa · ‎12-21-2008

Hello Senthilkumar,

private vlans could help:

additional secondary vlans of type isolated or community can be used to allow device to gateway communication only.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/pvlans.html

However, if the edge device is performing vRF lite (multi VRF CE) you can add new vlans and new SVIs or subifs on the edge device that can allow ip address overlapping in different non communicating VRFs.

Hope to help

Giuseppe

mvillarreal_burwood · ‎01-24-2009

Use the switchport protected command on the switch for each port and that will not forward traffic to other protected port, you can also do a switchport block multicast or unicast to block unknown multicast or unicast traffic to those ports.