cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
457
Views
0
Helpful
3
Replies

Design to isolate a group of users

h.parsons
Level 3
Level 3

My network consists of 20 VLANs that contain users I want to isolate from everyone else. They are spread accros all vlans. I want them to talk with each other but no one else. I am using CAT 6500 and CAT 3550's. I have a few ideas but I want to know the best way to do this.

3 Replies 3

pinnacledata
Level 1
Level 1

You could use a private vlan. You would want to set them up as community (as opposed to isolated) so they can talk to each other but no one else.

Private vlans coupled with VACLs as outlined here should accomplish what you wish:

http://cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

Private VLAN's is a good choice, it's specially useful in a DMZ area as it provides great L2 security. However, the switch(s) must be in transparent mode, and you must also manually remove pvlan port arp entries if the end station changes (MAC address), since the arp does not age out.

You can also consider using VLAN ACL, or a combination of the two - ultimately though it really depends on your security requirements.