Re: block hosts in the same subnet

alex goshtaei · ‎02-25-2011

Hi All,

we have a client who are using WLC WiSM and APs. he wants the wireless clients only allow to access to the internet and not be able to see each other. the reason for blocking traffic between host is for virus propagation. I couldn't find any solution to block hosts from each other in the same subnet. any suggestion would be very appreciated.

Thanks

Alex

Collin Clark · ‎02-25-2011

Take a look at private vlans.

http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html

Hope it helps.

alex goshtaei · ‎02-25-2011

thanks for the reply,

we have 172.27.30.0/22 subnet, so 1024 hosts will get an IP address. do I need to create 1024 private vlan in every single switch in the campus. they have pretty big network.

thanks again

Alex

Collin Clark · ‎02-25-2011

You can create 1 PVLAN and have that VLAN span all your switches, just like a normal VLAN. There are some limitations, so make sure you read the docs on the link above. Here's a config example-

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Pavel Pokorny · ‎02-27-2011

Hi,

I don't think PVLAN is solution at this case.

IMHO your problem can be solved by this feature:

http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1162814

This will cause all traffic from all host flow to gateway, where is possibility to send it to the IPS (for example).

BR

Pavel

Collin Clark · ‎02-28-2011

Pavel is correct, PVLANs is not the correct soultion to this. PVLANs are a wired solution, not wireless. Sorry about that.