Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
2
Replies

Network isolation

dipakchaulagain525
Level 1
Level 1

‎12-21-2024 09:36 PM

Hi,
I work as an IT engineer in a company with 200-500 employees, and I want to implement some concept of a zero trust model at the company network level. Currently, there are different networks with subnet of 255.255.255.0 for servers, databases, management, and user departments. But I want to make sure that even the devices on the same subnet could not communicate or reach each other, and only the permitted device can communicate with the other device. I can't create each subnet for a server or user device, as the amount and count would be large and complicated to manage. Is there any solution for this?
Or is there a method that can be implemented on a large scale so that I can allow or deny the communication on the L2 level as well?

Thank you.

Labels:
0 Helpful
2 Replies 2

M02@rt37
VIP
VIP

‎12-22-2024 12:45 AM - edited ‎12-22-2024 12:46 AM

Hello @dipakchaulagain525 

Private VLANs are an excellent way to isolate devices within the same VLAN at Layer 2. PVLANs support different port types, such as isolated ports, which restrict devices from communicating with each other while allowing access to shared resources (e.g., a gateway or server). Community ports can be used for devices that need limited group-based communication. This would allow you to maintain your current IP addressing scheme while isolating traffic efficiently...

Also, a Network Access Control (NAC) system can help enforce Zero Trust policies by authenticating and authorizing devices before they are allowed onto the network. Solutions like Cisco ISE can dynamically assign access controls to devices based on their identity, posture, or role. NAC systems can also enforce segmentation by dynamically applying VLAN assignments or access policies to devices, ensuring they can only communicate with authorized endpoints.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Flavio Miranda
VIP
VIP

‎12-22-2024 01:42 AM

@dipakchaulagain525 

Best solution for network segmentation at layer2 level now a days is DNAC with ISE, or ISE alone. Hawever, hard to justify such investiment for a small to middle size Company.

 But, If investiment is not a problem, ISE is the best option.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents