cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1543
Views
0
Helpful
10
Replies

Protecting access layer using private vlan

crusier2015
Level 1
Level 1

Hi,

 

I´m planning implement private vlan for all switches on network, 15 switches on all network ( there are 15 floors separetd by vlan 1-15). The purpose is block the hosts communicate each other on same network. I dont have ISE to implemment the best way , but in your opnion implement private vlan on access layer could bring some problems on performance or others kind of problems?

 

Tks

2 Accepted Solutions

Accepted Solutions

No, I don't think that configuring private vlans will cause any performance issues. Overall, I think the port ACL config maybe an easier solution. 

HTH

View solution in original post

Hello


@crusier2015 wrote:

Tks Paul, in this case i have to deny communication between hosts in the same network. tks

Tks, i checked on Cisco search tool, and unfortunately the switches model WS-C2960S-48LPS-L, VACL,PACL and PRIVATE VLANs dont work, only work PRIVATE VLAN Edge.


Then you quite limited, however a crude way for L2 protection would be use a protected port on each access-port you wish not to communicate with another protected port butt this only works between ports that this feature is applied to.

 

int x/x
description access port
switchport protected


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Why do you want to block hosts from communication with each other? If you want to block subnets/vlans from communicating with each other, instead of private vlan, you can use access list on the core switch where routing takes place. Don't make things complicated if you don't need to and don't have a requirement. 

HTH

Hi thanks for comment, i want block the communication for hosts on the same network, for security purposes, creating a layer 2 defense.

Tks, i will plain to use VACL too, in your opinion or others freinds of forum, if i use Private VLAN on all access switches, could generate any impact, for example low perfomance, caused by hardware resourses cosumed on the switches 2960S?

 

TKS

No, I don't think that configuring private vlans will cause any performance issues. Overall, I think the port ACL config maybe an easier solution. 

HTH

Tks, i checked on Cisco search tool,  and unfortunately the switches model WS-C2960S-48LPS-L,  VACL,PACL and PRIVATE VLANs dont work, only work PRIVATE VLAN Edge.

Hello


@crusier2015 wrote:

´m planning implement private vlan for all switches on network, 15 switches on all network 



@crusier2015 wrote:

Tks, i checked on Cisco search tool,  and unfortunately the switches model WS-C2960S-48LPS-L,  VACL,PACL and PRIVATE VLANs dont work, only work PRIVATE VLAN Edge.


If you would want to negate communication between specific vlans in your network then as have multiple switches and assume vlans also then you need to apply routed access-lists on the L3 interfaces for these vlans and this is done on the device performing that routing not on the switches.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Tks Paul, in this case i have to deny communication between hosts in the same network. tks

Hello


@crusier2015 wrote:

Tks Paul, in this case i have to deny communication between hosts in the same network. tks

Tks, i checked on Cisco search tool, and unfortunately the switches model WS-C2960S-48LPS-L, VACL,PACL and PRIVATE VLANs dont work, only work PRIVATE VLAN Edge.


Then you quite limited, however a crude way for L2 protection would be use a protected port on each access-port you wish not to communicate with another protected port butt this only works between ports that this feature is applied to.

 

int x/x
description access port
switchport protected


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Reza and Paul, 

 

Sorry for the late, tks for your help.

Review Cisco Networking for a $25 gift card