Security within single VLAN.

Unanswered Question
Feb 23rd, 2007

Hi All,

We have only one single VLAN across our switch network and would like to implement security, so that users cannot communicate with each other and cannot access each other resources they should only go to default gateway to access internet?

Is this Possible? Please let us know.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Danilo Dy Fri, 02/23/2007 - 03:44

One way is to setup a windows domain and create user policy so that they cannot login to their local PC as administrator but only a normal user which has only access to resources that enable them to do their job. Fri, 02/23/2007 - 03:49

We do not have windows in our network...Some third party server which is acting as a more than a plain router...this network is only use for internet access and all users are in single VLAN.

We have cisco switches in our network with single VLAN.

We want to implement security within single VLAN so that users cannot communicate with each other and cannot access each other resources...

Is this possible???

Please advice.



Danilo Dy Fri, 02/23/2007 - 05:25

Through network its not possible, even you have multiple VLANs unless you restrict one user per VLAN :) The only way its possible in the network is running Network OS and centralized user login like I mentioned earlier.

It is still possible using free and available resources in your user PC, but its tedious and administration nightmare when your network grows. Anyway here it is.

1. Account

- Administrator account should be use only by you. Use a difficult to guess password.

- Create user account for the user without administrative priviledge

***This way, user will not be able to enable services and install unauthorized application

2. Services

- Disable network card bindings for FTP, File and Printer Sharing, RDC, etc...whatever you want to disable.

3. Firewall

- All user PC should use Windows XP SP2

- Enable Win XP Firewall and deny incoming access to well known ports like FTP, etc..

To make this easy, you can issue same model PC for everyone. Perform the above steps to one PC and GHOST the system, then you can make multiple copies of it to all other PC :) Fri, 02/23/2007 - 05:29

I want to implement the security in switches rather in doing in PCs.... Fri, 02/23/2007 - 05:39

Here is the switch models for our network...






Again, I would like to tell you that all users are in VLAN1 and we want users not to share resources and cannot communicate with each other... Is this possible on above models, If yes tell me how?

Danilo Dy Fri, 02/23/2007 - 05:56

Well in that case, you have to tell us your switch model and IOS version.

This is for switching and security expert to digest and recommend a solution to secure all hosts from each other in a single broadcast domain using switch


This Discussion