How to limit the interaction of hosts within a VLAN?

K

kirillrabinovich2014-08-07 15:10:53

Cisco

kirillrabinovich, 2014-08-07 15:10:53

Good day colleagues!
There is one locale. Core on a stack of two 3750s, access on 2960.
How can I prevent a host from interacting with hosts in the same vlan?
Those. there is a vlan for users, it is necessary that users' cars cannot interact with each other.
I thought about making a route map, and sending packets to null, and now I’m wondering if the packets inside the vlan pass through the vlan interface on which the route map will be?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

T

throughtheether, 2014-08-07
@kirillrabinovich

I am presented with the following options.
Switchport protected on 2960 as a vegetarian replacement for private vlans.
If hosts communicate with each other using protocols over IP, then you can think about proxy arp on the device that routes this vlan (3750).
The most totalitarian option is VLAN ACL (mac access-list, vlan access-map) on 2960. Allow traffic to the host only from the default gateway (taking into account FHRP, if you have something similar configured).

I thought about making a route map, and sending packets to null, and now I’m wondering if the packets inside the vlan pass through the vlan interface on which the route map will be?

Packets (frames) can be switched from source to destination already at the access level, where, I assume, there are no L3 interfaces for this vlan.

S

Sergey Petrikov, 2014-08-07
@RicoX

Use private vlan

V

Valentin, 2014-08-07
@vvpoloskin

They don't pass. Use either port isolation , possibly in combination with acl, or vlan per port. Unfortunately, L2 switches do not support such things as private vlan, vacl.

A

AZCOS, 2016-03-30
@AZCOS

so separate the users of your accesses with sheets, you have 3750, it is a 3 switch layer.