Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1544
Views
0
Helpful
10
Replies

Protecting access layer using private vlan

Go to solution
crusier2015
Level 1
Level 1

‎06-05-2020 05:39 PM

Hi,

 

I´m planning implement private vlan for all switches on network, 15 switches on all network ( there are 15 floors separetd by vlan 1-15). The purpose is block the hosts communicate each other on same network. I dont have ISE to implemment the best way , but in your opnion implement private vlan on access layer could bring some problems on performance or others kind of problems?

 

Tks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to crusier2015

‎06-06-2020 03:09 PM

No, I don't think that configuring private vlans will cause any performance issues. Overall, I think the port ACL config maybe an easier solution. 

HTH

View solution in original post

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to crusier2015

‎06-08-2020 07:21 AM

Hello

@crusier2015 wrote:

Tks Paul, in this case i have to deny communication between hosts in the same network. tks

Tks, i checked on Cisco search tool, and unfortunately the switches model WS-C2960S-48LPS-L, VACL,PACL and PRIVATE VLANs dont work, only work PRIVATE VLAN Edge.

Then you quite limited, however a crude way for L2 protection would be use a protected port on each access-port you wish not to communicate with another protected port butt this only works between ports that this feature is applied to.

 

int x/x
description access port
switchport protected


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎06-05-2020 06:30 PM

Hi,

Why do you want to block hosts from communication with each other? If you want to block subnets/vlans from communicating with each other, instead of private vlan, you can use access list on the core switch where routing takes place. Don't make things complicated if you don't need to and don't have a requirement. 

HTH

0 Helpful

Go to solution
crusier2015
Level 1
Level 1
In response to Reza Sharifi

‎06-05-2020 07:03 PM - edited ‎06-05-2020 07:06 PM

Hi thanks for comment, i want block the communication for hosts on the same network, for security purposes, creating a layer 2 defense.

0 Helpful

Go to solution
crusier2015
Level 1
Level 1
In response to Reza Sharifi

‎06-06-2020 11:09 AM

Tks, i will plain to use VACL too, in your opinion or others freinds of forum, if i use Private VLAN on all access switches, could generate any impact, for example low perfomance, caused by hardware resourses cosumed on the switches 2960S?

 

TKS

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to crusier2015

‎06-06-2020 03:09 PM

No, I don't think that configuring private vlans will cause any performance issues. Overall, I think the port ACL config maybe an easier solution. 

HTH

0 Helpful

Go to solution
crusier2015
Level 1
Level 1
In response to Reza Sharifi

‎06-06-2020 07:14 PM

Tks, i checked on Cisco search tool,  and unfortunately the switches model WS-C2960S-48LPS-L,  VACL,PACL and PRIVATE VLANs dont work, only work PRIVATE VLAN Edge.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to crusier2015

‎06-07-2020 04:49 AM

Hello

@crusier2015 wrote:

´m planning implement private vlan for all switches on network, 15 switches on all network 

@crusier2015 wrote:

Tks, i checked on Cisco search tool,  and unfortunately the switches model WS-C2960S-48LPS-L,  VACL,PACL and PRIVATE VLANs dont work, only work PRIVATE VLAN Edge.

If you would want to negate communication between specific vlans in your network then as have multiple switches and assume vlans also then you need to apply routed access-lists on the L3 interfaces for these vlans and this is done on the device performing that routing not on the switches.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
crusier2015
Level 1
Level 1
In response to paul driver

‎06-08-2020 05:44 AM

Tks Paul, in this case i have to deny communication between hosts in the same network. tks

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to crusier2015

‎06-08-2020 07:21 AM

Hello

@crusier2015 wrote:

Tks Paul, in this case i have to deny communication between hosts in the same network. tks

Tks, i checked on Cisco search tool, and unfortunately the switches model WS-C2960S-48LPS-L, VACL,PACL and PRIVATE VLANs dont work, only work PRIVATE VLAN Edge.

Then you quite limited, however a crude way for L2 protection would be use a protected port on each access-port you wish not to communicate with another protected port butt this only works between ports that this feature is applied to.

 

int x/x
description access port
switchport protected


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
crusier2015
Level 1
Level 1
In response to paul driver

‎07-07-2020 07:56 PM

Hi Reza and Paul, 

 

Sorry for the late, tks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card