Hi You can use a switch like

istvan123 · ‎07-07-2015

Hi,

I have an 2911 Cisco router and created an dhcp pool, for my clients.

ip dhcp pool alma

network 80.90.99.0 255.255.255.0

dns-server 80.90.99.100

default-router 80.90.99.225

Well my goal is, the clients doesn't see each other. I think to ACL, for the deny, just i don't know how do i do that :)

Could you help me?

Thanks in advanced.

Istvan

rafaelti1 · ‎07-07-2015

Do you have an ACL currently configured? I am not sure exactly what you are asking for. Can you copy and paste your ACL so we can see if it is blocking it?

Also if you haven't already you should exclude IP of the DNS server and the default router in your config since both of those IP's look like they belong in your currently configured DHCP pool range. Exclude them, so those addresses don't accidentally get handed out then cause a conflict.

Something like this

ip dhcp excluded-address 80.90.99.100

ip dhcp excluded-address 80.90.99.225

Let us know, thanks.

istvan123 · ‎07-07-2015

In this IP range there isn't ACL. Let me explain the details :)

So We have for example 10 PC, which has IP address from the DHCP pool (router).

PC1. 80.90.99.1

PC1. 80.90.99.2

.

PC10. 80.90.99.10

Now they can ping each other, and permit all everything. There isn't ACL now.

So the goal will be, the PC1 PC2 .. PC10 can't ping each other.

rafaelti1 · ‎07-07-2015

Gotcha, so you don't want any of the PC's to be able to ping each other? Am I understanding this right?

istvan123 · ‎07-07-2015

Yes, perfectly :)

rafaelti1 · ‎07-07-2015

Why would you not want any of them to be able to ping each other?

istvan123 · ‎07-07-2015

Cause this is a security policy in my environment.

Roberto Kippins · ‎07-07-2015

Hi You can use a switch like a 3750 and configure private vlans each user can be connected to an isolated port, you will configure a promiscuous port to plug in the router that way they can both see the router and have access to the internet but not each other.

istvan123 · ‎07-08-2015

Thanks roberto but for this case this the lonely solution? An standalone device? No way to another solution? Example in the router with acces control list which we deny the IP or ICMP package between the dhcp clients. In my oppinion this will be the best. Can we solved with this procedure?

best regards

istvan

Boris Uskov · ‎07-08-2015

Hello,

the problem is that if the devices are in the same broadcast domain (same VLAN), the traffic does not pass through the router, when those devices are communicating with each other.

That is why, the only way to restrict the communication between the devices is to use some security technologies on the switch.

As Roberto said, the one solution is to use private vlans on cisco switch.

I can suggest one other solution - VLAN ACLs on cisco switch.

What switch do you use in your environment?

rafaelti1 · ‎07-08-2015

I agree with Roberto, however I see what your saying about the ACL just as you would a router but for a switch that would only work when passing from one vlan to another vlan, not within a single vlan. Like if traffic went from "int vlan 10" to "int vlan 20" then it would work. But if they are all on vlan 10 for example then just an ACL will not work. And creating a single vlan for each host is extremely unnecessary. You need to do private vlans or a vlan ACL "vacl".

In my opinion the private vlan is easier to do config wise then a vacl.

Let us know if you found a solution or need help doing a private vlan or vacl, thanks.

DHCP pool and ACL