Extreme Networks

Localhost · ‎10-27-2015

Hi

this is the scenario:

- one single vlan
- I need hosts that access this vlan to be able only to reach the gateway. Communication between hosts in the same vlan should be blocked. Is it possible in Xos?

thanks

Stephane_Grosj1 · ‎10-27-2015

To summarize a bit:

- if this requirement is local to a single switch (stack), then Port Isolation is certainly the best way to go.
- if the VLAN spans multiple switches, the usual Private VLAN is the way to go.
- ACL can be a workaround, especially if you want some lattitude in your initial requirement

Alexandr_P · ‎10-27-2015

Hi!

Also (as workaround) you can try ACL (but this have to be tested).
For example:
ports 1,2,3 - hosts.
#edit pol XXX
entry permit_def_gate {
if {
destination-address 172.16.0.1/24; #default gateway
} then {
permit;
} }
entry deny_inter-hosts {
if {
destination-address 172.16.0.0/24; #other hosts
} then {
deny;
} }

#conf access-list XXX ports 1-3 ingress

BrandonC · ‎10-27-2015

One quick tweak to the ACL:

entry permit_def_gate {
if {
destination-address 172.16.0.1/32; #default gateway
} then {
permit;
} }
entry deny_inter-hosts {
if {
destination-address 172.16.0.0/24; #other hosts
} then {
deny;
} }If this line had a /24 mask, it would match on all hosts in the subnet, rather than just the gateway.

jeronimo · ‎01-19-2023

I'm a little late to the show but anyway.

Why do you need to specify the default gateway? Traffic exiting the VLAN uses the def GW's MAC address but not its IP address.

You can just deny dst 172.16.0.0/24 and for the rest permit all IPv4

Localhost · ‎10-27-2015

thanks !

Extreme Networks

Isolate hosts in the same vlan

Isolate hosts in the same vlan