cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
998
Views
2
Helpful
6
Replies

P2P traffic blocking in the VLAN

Hi All,

Switch port is configured for dot1x and mab authentication and default VLAN is guest VLAN.

We want to block peer-to-peer traffic between guest hosts.

What are possible solutions for this case? 

Thanks 

 

6 Replies 6

M02@rt37
VIP
VIP

Hello @Harutyun Hakobyan 

One possible solution to block peer-to-peer traffic between guest hosts is to use Private VLANs . PVLANs allow you to isolate ports within the same VLAN, thereby preventing communication between devices connected to those ports.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hello,

Currently dot1x and mab assign "regular" VLANs.
Is it possible also assign private VLAN for the same port? 

@Harutyun Hakobyan 

Yes, it is possible to assign a private VLAN to a switch port that is configured for both dot1x and MAB authentication. In fact, using a private VLAN in conjunction with dot1x and MAB authentication can provide an additional layer of security and isolation.

When a port is configured for dot1x and MAB authentication, the switch assigns a VLAN to the connected device based on the authentication results. By default, this VLAN is a "regular" VLAN, but you can configure the switch to assign a private VLAN instead.

To configure a switch port to assign a private VLAN to authenticated devices, you first need to configure the private VLAN on the switch. This involves creating a primary VLAN and one or more secondary VLANs associated with it. Then, you can configure the switch port to use the primary VLAN as the default VLAN and to assign a secondary VLAN as the isolated VLAN.

Once you have configured the private VLAN, you can configure the switch port for dot1x and MAB authentication and specify the private VLAN to assign to authenticated devices. This will ensure that devices authenticated on the port are placed into the isolated secondary VLAN, which provides an additional layer of security and isolation from other devices on the network.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

VLAN access-map is solution for you to block P2P connection in same VLAN.

ANKUSH_SINGLA
Level 1
Level 1

@MHM Cisco World  do you have any reference DOC for it ?

Hi,

  Here's a Cisco DOC: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html

 You can use this example, as a reference; this example assumes IPv4 subnet is 10.10.10.0/24 and default gateway is 10.10.10.254; it allows traffic to default gateway and outside of VLAN and drops all other intra-VLAN IPv4 traffic:

ip access-list extended VACL_VLAN20_DROP
 10 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.254
 20 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
!
ip access-list extended VACL_VLAN20_FORWARD
 10 permit ip any any
!
vlan access-map VLAN20_FILTER 10
 match ip address VACL_VLAN20_DROP
 action drop
vlan access-map VLAN20_FILTER 20
 match ip address VACL_VLAN20_FORWARD
 action forward
!
vlan filter VLAN20_FILTER vlan-list 20

 Best,

Cristian.

Review Cisco Networking for a $25 gift card