05-12-2015 06:56 AM - edited 03-07-2019 11:58 PM
I need your expert advice on the below,
The client requires isolation between the same vlan, ie, none of the PC on a particular VLAN should be able to talk to other PC on the same VLAN.
I know that I can use Private Vlans to achieve this purpose.
Have any one of you come across with any other method to accomplish the same, apart from Private VLANs?
05-12-2015 07:13 AM
you can use switchport protected instead of private vlan much easier to setup 1 command or use layer 2 mac acls if your switch supports it
05-13-2015 12:46 AM
Thank you for that info. that's definitely new to me.
But what confuses me is, if I have both voice and Data Vlan on the port, will it affect the voice traffic too since the rtp traffic would flow between phones on the same vlan. this question is there even in the case of private Vlans.
05-13-2015 01:06 AM
Yes thats a bit of an issue , 1 thing to to remeber protected ports only work on local switch unlike private vlans work between switches , its a very basic command if you dont wnat to setup pvs
Have a look at this
05-13-2015 09:45 AM
I would get the phones split to their own VLAN if at all possible. Then, you can consider port based IP ACL's or VLAN maps assuming your switch is using code and or licensing that supports each of those features. Very powerful and flexible but can get trickier to manage so template and document your config well. Would still prefer Private VLANs at the end of the day though...
Please rate helpful posts!
05-14-2015 12:18 AM
As you put it, managing that would be trickier.
Now, is it recommended to use Private Vlans on access ports, does it work with voice vlan and data vlan on the same port?
05-14-2015 05:13 AM
As per the documentation on the 3750 you cannot mix voice and private VLANs:
Or on the the 3560-X:
If security is a big issue would the customer be open to 802.1X authentication? This would give you some options with downloadable ACLs (that you can manage centrally) or could at least manage on each switch and asign with 802.1x. Again, big project to get 802.1x implemented.
As far as an ACL goes You might start like this:
! Allow IP traffic to the default gateway for troubleshooting, etc
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1
! Deny access to other hosts in the same subnet
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!Allow connectivity to any other host
permit ip any any
Inevitably your going to be adding an ACL rule to allow hosts to a printer or something in the near future... ;-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: