cancel
Showing results for 
Search instead for 
Did you mean: 

Isolate hosts in the same vlan

Isolate hosts in the same vlan

Localhost
New Contributor II
Hi

this is the scenario:

- one single vlan
- I need hosts that access this vlan to be able only to reach the gateway. Communication between hosts in the same vlan should be blocked. Is it possible in Xos?

thanks

11 REPLIES 11

Erik_Auerswald
Contributor II
Hello Martin,

you can use policies on the S-Series, the same idea as the ACL solution for EXOS above.

Br,
Erik

MartinS1
New Contributor
Hi guys,

is there a way to realise this on EOS (S-Series) Switches as well?

Thanks in advance,
Martin

Localhost
New Contributor II
very valuable information. I will keep this thread in mind even for the future.

thanks everybody!

Paul_Russo
Extreme Employee
Hello there is another potential but it depends on your network and what features you actually need. There is a feature called Upstream Forwarding or Upstream Forwarding Only (UFO) that allows ports to be on the same VLAN but their traffic can only go up the uplink port. We disable flooding to the other ports so that a user on one port can't see traffic from another user on another port. This features is used mainly in MAN networks or Fiber to the Home designs where SPs want to restrict user traffic.

It is in the user guide search for upstream forwarding here's s snippet

"Figure 87: Upstream Forwarding or Disabling Egress Flooding Example"
"In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and"
"2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN, client 1 could possibly learn about the other client’s traffic by sniffing client 2’s broadcast traffic; client 1 could then possibly launch an attack on client 2."
"However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for the"
"following reasons:"
"• Broadcast and multicast traffic from the clients is forwarded only to the uplink port."
"• Any packet with unlearned destination MAC addresses is forwarded only to the uplink port."
"• One client cannot learn any information from the other client. Because egress flooding is disabled on the access ports, the only packets forwarded to each access port are those packets that are specifically targeted for one of the ports. There is no traffic leakage."
"In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to"
"communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP"
"address for client 2."

There are pros and cons with using this over private VLAN and really comes down with what you need to do but it is an option

Thanks
P

GTM-P2G8KFN