Hi,

Thanks for the immediate reply.

Whenever i identify a port with virus, i would be changing it to this vlan and this vlan should ideally access only symantec portals.

Regards,

Nirmal

ahh well the switchport protected may give you the Functionality you are looking for:

Depending on how much you want to filter, how big your network is, how many vlans etc. You may need additional ACLs to block only o a particualr host or website etc.

http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042446

http://www.ifm.net.nz/cookbooks/2950_virus.html

Maybe you can use a private vlan concept? Private vlan have isolated vlan and community vlan and isolated port and promiscuous port. As name suggest isolated vlan is isolated and does not talk to any other port even the other ports are in the same vlan. community vlan talks to other ports in the same community vlan only and to promiscuous ports. Promiscuous port talks to everyone. Private vlan is an isolation between ports in the same vlan routed traffic is not affected by private vlan. Having briefly explained that you can put the symantec ports in promiscuous port and create an isolated vlan for infected hosts.

Here is more info on private vlans and all the terms mentioned above:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/pvlans.html#wp1132305

Hello Nirmal,

the concept of quarantine vlan to be used for verification of devices is provided under the NAC (Network Access Control ) framework.

see

http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html

this requires to deploy an appliance that will be a policy server with switches acting as policy enforcement points.

To be noted current cisco solution requires one appliance for VTP domain.

Hope to help

Giuseppe