 
					
				
		
02-23-2018 12:25 PM - edited 03-08-2019 02:00 PM
Dears,
I have 100 of subnets in my corporate core switch I need users in same vlan not to communicate each other , how I can control them
Please specify solution apart from below
Thanks
02-23-2018 12:39 PM
Hi there,
Are these users all connected to the same switch? If so, you could configure their switchport as protected:
! int gix/x/x switchport protected !
This will prevent these ports with communicating with each other.
You may also want to go a step further and block unknown unicast and multicast traffic to these ports:
! int gix/x/x switchport protected switchport block unicast switchport block multicast !
cheers,
Seb.
 
					
				
		
02-23-2018 10:59 PM - edited 02-23-2018 11:13 PM
Dear,
If I have 3 switches on one floor with one vlan X , the 2 switches are in the stack and the third one is standalone in this scenario Switchport protected will work for all host in that vlan X or a users from stack switch will be able to communicate with standalone switch though the switchport protected command is enabled on every port of the 3 switches.
switchport blocking unicast,& multicast if we apply then the unknown flooding will not happen on these ports then how the switch will come to know the host when it doesn't have in his address table.
Thanks
 
					
				
		
02-24-2018 12:28 AM
Hello,
in addition to Seb's post, and depending on your platform, you also might want to look at PACLs (Port ACLs), see the link below for configuration details.
That said, VACLs are specifically designed for the purpose of controlling intra-Vlan traffic, which is what you are after, so eventually they will provide the best solution...
 
					
				
		
02-24-2018 01:39 AM
Dear George,
My goal to block intra-vlan traffic on the vlan, how I can manage 254 mac addresses per vlan's to restrict per port on the switch,
Please correct me if I m wrong.
Thanks
 
					
				
		
02-26-2018 10:14 AM
Dear Expert
Please reply
thanks
02-26-2018 11:16 AM
Hello,
what are you trying to accomplish ? Allow one MAC address per port ?
 
					
				
		
02-26-2018 11:47 AM
I want to accomplish within one Vlan host should not communicate between with each other, they shld only communicate with their Default gateway
02-26-2018 02:18 PM
Hello,
This is the very reason private vlans were created. Is there a reason you can't use them?
As mentioned before, you could use protected ports but those are only locally significant to a specific switch so once traffic leaves that switch, it will not longer remember if it came from a protected port or not.
Because of this limitation, private vlans were created. I do not believe there is another way to accomplish this.
Hope this helps!
 
					
				
		
02-26-2018 09:21 PM
Dears
Lets assume I am going with Private Vlan than for each Vlan 254 host I have to create a isolated Vlan.
02-27-2018 12:12 AM
Hi there,
For each primary VLAN (eg: 100) you associate one isolated VLAN (eg: 101). That VLAN ID would be used for all 254 hosts.
! vlan 100 name PRIMARY_100 private-vlan primary private-vlan association 101 ! vlan 101 name PVLAN_101 private-vlan isolated !
cheers,
Seb.
 
					
				
		
02-27-2018 01:11 AM
the private Vlan 101 will be for each host or it will for each Vlan , I mean to say
there are 254 host in one subnet so for all host I have to create a isolated Vlan from 101 to 354 and then associated 101-354 Vlan to primary Vlan 100
please correct me if I m wrong.
thanks
02-27-2018 01:59 AM
You just need to create VLANs 100 and 101, so you would have something like:
!
interface gigatibethernet0/1
    switchport mode private-vlan host 
    switchport private-vlan host-association 100 101
!
interface gigatibethernet0/2
    switchport mode private-vlan host 
    switchport private-vlan host-association 100 101
!
interface gigatibethernet0/3
    switchport mode private-vlan host 
    switchport private-vlan host-association 100 101
!
cheers,
Seb.
 
					
				
		
03-21-2018 01:14 PM - edited 03-24-2018 01:05 AM
thanks for your reply,
I have a query related to the promiscuous port as in my scenario i don't have a router instead i have a ASA service module and private Vlan primary and secondary are forwarded to the ASA-SM, so if i am having a ASA-SM mudule setup then what procedures has to be followed.
Also the end user access port contains a voice vlan so i get a below error when applying a switchport mode commands:
Switch(config-if)#int  gigabitEthernet 1/0/35
Switch(config-if)#switchport mode private-vlan host
Command rejected: Gi1/0/35 is configured with a voice Vlan.
Regards
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide