cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1395
Views
0
Helpful
6
Replies

Isolating intra vlan communication

Fazil Haneefa
Level 1
Level 1

Hi Guys,

 

I need your expert advice on the below,

 

The client requires isolation between the same vlan, ie, none of the PC on a particular VLAN should be able to talk to other PC on the same VLAN.

I know that I can use Private Vlans to achieve this purpose.

Have any one of you come across with any other method to accomplish the same, apart from Private VLANs?

 

 

6 Replies 6

Mark Malone
VIP Alumni
VIP Alumni

you can use switchport protected instead of private vlan much easier to setup 1 command or use layer 2 mac acls if your switch supports it

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_20_ea2/configuration/guide/2950scg/swtrafc.html#wp1158863

Hi Mark,

 

Thank you for that info. that's definitely new to me.

But what confuses me is, if I have both voice and Data Vlan on the port, will it affect the voice traffic too since the rtp traffic would  flow between phones on the same vlan. this question is there even in the case of private Vlans.

Yes thats a bit of an issue , 1 thing to to remeber protected ports only work on local switch unlike private vlans work between switches , its a very basic command if you dont wnat to setup pvs

 

Have a look at this

https://supportforums.cisco.com/discussion/10955331/protected-port-and-voice-vlan

schaef350
Level 1
Level 1

I would get the phones split to their own VLAN if at all possible.  Then, you can consider port based IP ACL's or VLAN maps assuming your switch is using code and or licensing that supports each of those features.  Very powerful and flexible but can get trickier to manage so template and document your config well.  Would still prefer Private VLANs at the end of the day though...

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html

 

Please rate helpful posts!

 

- Be sure to rate all helpful posts

Hi schaef,

 

As you put it, managing that would be trickier. 

Now, is it recommended to use Private Vlans on access ports, does it work with voice vlan and data vlan on the same port? 

 

As per the documentation on the 3750 you cannot mix voice and private VLANs:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swvoip.html

 

Or on the the 3560-X:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swpvlan.html#wp1057603

 

If security is a big issue would the customer be open to 802.1X authentication?  This would give you some options with downloadable ACLs (that you can manage centrally) or could at least manage on each switch and asign with 802.1x.  Again, big project to get 802.1x implemented.

As far as an ACL goes You might start like this:

 

 ! Allow IP traffic to the default gateway for troubleshooting, etc

     permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1

! Deny access to other hosts in the same subnet
     deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!Allow connectivity to any other host
    permit ip any any

 

Inevitably your going to be adding an ACL rule to allow hosts to a printer or something in the near future... ;-)

 

 

 

- Be sure to rate all helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: