Isolate hosts in the same vlan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-27-2015 02:54 AM
Hi
this is the scenario:
- one single vlan
- I need hosts that access this vlan to be able only to reach the gateway. Communication between hosts in the same vlan should be blocked. Is it possible in Xos?
thanks
this is the scenario:
- one single vlan
- I need hosts that access this vlan to be able only to reach the gateway. Communication between hosts in the same vlan should be blocked. Is it possible in Xos?
thanks
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-27-2015 06:23 AM
To summarize a bit:
- if this requirement is local to a single switch (stack), then Port Isolation is certainly the best way to go.
- if the VLAN spans multiple switches, the usual Private VLAN is the way to go.
- ACL can be a workaround, especially if you want some lattitude in your initial requirement
- if this requirement is local to a single switch (stack), then Port Isolation is certainly the best way to go.
- if the VLAN spans multiple switches, the usual Private VLAN is the way to go.
- ACL can be a workaround, especially if you want some lattitude in your initial requirement
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-27-2015 05:50 AM
Hi!
Also (as workaround) you can try ACL (but this have to be tested).
For example:
ports 1,2,3 - hosts.
#edit pol XXX
entry permit_def_gate {
if {
destination-address 172.16.0.1/24; #default gateway
} then {
permit;
} }
entry deny_inter-hosts {
if {
destination-address 172.16.0.0/24; #other hosts
} then {
deny;
} }
#conf access-list XXX ports 1-3 ingress
Also (as workaround) you can try ACL (but this have to be tested).
For example:
ports 1,2,3 - hosts.
#edit pol XXX
entry permit_def_gate {
if {
destination-address 172.16.0.1/24; #default gateway
} then {
permit;
} }
entry deny_inter-hosts {
if {
destination-address 172.16.0.0/24; #other hosts
} then {
deny;
} }
#conf access-list XXX ports 1-3 ingress
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-27-2015 05:50 AM
One quick tweak to the ACL:
entry permit_def_gate {
if {
destination-address 172.16.0.1/32; #default gateway
} then {
permit;
} }
entry deny_inter-hosts {
if {
destination-address 172.16.0.0/24; #other hosts
} then {
deny;
} }If this line had a /24 mask, it would match on all hosts in the subnet, rather than just the gateway.
entry permit_def_gate {
if {
destination-address 172.16.0.1/32; #default gateway
} then {
permit;
} }
entry deny_inter-hosts {
if {
destination-address 172.16.0.0/24; #other hosts
} then {
deny;
} }If this line had a /24 mask, it would match on all hosts in the subnet, rather than just the gateway.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-19-2023 03:25 PM
I'm a little late to the show but anyway.
Why do you need to specify the default gateway? Traffic exiting the VLAN uses the def GW's MAC address but not its IP address.
You can just deny dst 172.16.0.0/24 and for the rest permit all IPv4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-27-2015 03:17 AM
thanks !
