Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
2
Helpful
4
Replies

P2P traffic blocking in the VLAN

Harutyun Hakobyan
Level 1
Level 1

‎03-21-2023 04:57 AM

Hi All,

Switch port is configured for dot1x and mab authentication and default VLAN is guest VLAN.

We want to block peer-to-peer traffic between guest hosts.

What are possible solutions for this case? 

Thanks 

 

Labels:
0 Helpful
4 Replies 4

M02@rt37
VIP
VIP

‎03-21-2023 05:12 AM

Hello @Harutyun Hakobyan 

One possible solution to block peer-to-peer traffic between guest hosts is to use Private VLANs . PVLANs allow you to isolate ports within the same VLAN, thereby preventing communication between devices connected to those ports.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Harutyun Hakobyan
Level 1
Level 1
In response to M02@rt37

‎03-21-2023 05:19 AM

Hello,

Currently dot1x and mab assign "regular" VLANs.
Is it possible also assign private VLAN for the same port? 

0 Helpful

M02@rt37
VIP
VIP
In response to Harutyun Hakobyan

‎03-21-2023 05:40 AM

@Harutyun Hakobyan 

Yes, it is possible to assign a private VLAN to a switch port that is configured for both dot1x and MAB authentication. In fact, using a private VLAN in conjunction with dot1x and MAB authentication can provide an additional layer of security and isolation.

When a port is configured for dot1x and MAB authentication, the switch assigns a VLAN to the connected device based on the authentication results. By default, this VLAN is a "regular" VLAN, but you can configure the switch to assign a private VLAN instead.

To configure a switch port to assign a private VLAN to authenticated devices, you first need to configure the private VLAN on the switch. This involves creating a primary VLAN and one or more secondary VLANs associated with it. Then, you can configure the switch port to use the primary VLAN as the default VLAN and to assign a secondary VLAN as the isolated VLAN.

Once you have configured the private VLAN, you can configure the switch port for dot1x and MAB authentication and specify the private VLAN to assign to authenticated devices. This will ensure that devices authenticated on the port are placed into the isolated secondary VLAN, which provides an additional layer of security and isolation from other devices on the network.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World
VIP
VIP
In response to Harutyun Hakobyan

‎03-21-2023 06:28 AM

VLAN access-map is solution for you to block P2P connection in same VLAN.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card