[c-nsp] Block traffic between users in the same vlan

Church, Chuck cchurch at netcogov.com
Wed Apr 13 11:52:35 EDT 2005


In CatOS, protected switchports are referred to as Private VLANs.  See:
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a008017acad.shtml 


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ruben Montes
Sent: Wednesday, April 13, 2005 11:47 AM
To: Erdem Sener; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Block traffic between users in the same vlan

Hello,
 
yes, I know the command switchport protected, but cat6500/4500 don't support it. I think  VACL (VlansACL) are the solution, but i have never configured it and I don't know its behavior.
Any help would be appreciated.
 
Best regards,
 
Ruben

	-----Mensaje original----- 
	De: Erdem Sener [mailto:erdem.sener at borusantelekom.com] 
	Enviado el: mié 13/04/2005 17:39 
	Para: Ruben Montes; cisco-nsp at puck.nether.net 
	CC: 
	Asunto: RE: [c-nsp] Block traffic between users in the same vlan
	
	



	Hello,
	
	
	 You could do "switchport protected" on each vlan interface, which will
	force the traffic between
	ports going through a layer3 device, default gateway in your case.
	
	 Erdem
	
	> -----Original Message-----
	> From: cisco-nsp-bounces at puck.nether.net
	> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ruben Montes
	> Sent: Wednesday, April 13, 2005 6:07 PM
	> To: cisco-nsp at puck.nether.net
	> Subject: [c-nsp] Block traffic between users in the same vlan
	>
	> Hello,
	>
	> I want to block traffic between users in the same vlan: the
	> only communication allowed will be with the default gateway
	> of this vlan.
	>
	> source dest action
	> 192.168.1.0/24 192.168.1.1/32(gateway) permit
	> 192.168.1.0/24 192.168.1.0/24 deny
	> 192.168.1.0/24 not(192.168.1.0/24) permit
	>
	> Can this be accomplished with VACLs? This is a wifi
	> environment and we want to block all access between wifi
	> clients. I know there's a functionality called PSPF, but this
	> only applies to clients associated in the same AP.
	> Any working configuration would be appreciated.
	>
	> Regards,
	>
	> Ruben
	>
	> _______________________________________________
	> cisco-nsp mailing list  cisco-nsp at puck.nether.net
	> https://puck.nether.net/mailman/listinfo/cisco-nsp
	> archive at http://puck.nether.net/pipermail/cisco-nsp/
	>
	
	
	UYARI/NOTIFICATION:
	***************************************************************************
	Bu e-posta ve ekleri sadece gonderilen adres sahiplerine aittir. Bu mesajin yanlislikla tarafiniza ulasmis olmasi halinde, lutfen gondericiye derhal bilgi veriniz ve mesaji sisteminizden siliniz. BORUSAN TELEKOM bu mesajin icerigi ve ekleri ile ilgili olarak hukuksal hicbir sorumluluk kabul etmez.  Gonderen taraf hata veya unutmalardan sorumluluk kabul etmez.
	
	The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed.If you received this message in error, please immediately notify the sender and delete it from your system.BORUSAN TELEKOM doesn't accept any legal responsibility for the contents and attachments of this message.The sender does not accept liability for any errors or omissions.
	
	***************************************************************************
	

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list