Command for Bogus VLAN

Unanswered Question
May 10th, 2007
User Badges:

All, what is the command to set a port in a VLAN that will take the end user no where? I am wanting to tighten down security on un-used ports. Is there a command that will take the end user only out to the internet?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 05/10/2007 - 04:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


If you want to stop a user on the port communicating with any other vlan and only allowing internet traffic you could use an access list on the vlan interface.


If you want to stop a user on the port talking to any other vlan and any machine within the vlan you could look at VACL's which allow you to filter traffic within a vlan.


What we do here is to shut down all unused ports and allocate them into a vlan that is non-routable. So even if the port is accidentally brought up the user can't get anywhere.


HTH


Jon

rwamstutz Thu, 05/10/2007 - 04:32
User Badges:

Jon, what is the command line you use to allocate them into a VLAN that is non-routable?

Amit Singh Thu, 05/10/2007 - 04:45
User Badges:
  • Cisco Employee,

You can assing the ports to a vlan using the command below:


switch# vlan database

Switch(vlan)# vlan x


config t


interface range fa 0/1 - 10

switchport access vlan x --> a bogus vlan on your switch


Make sure that you dont create an L3 interface for this vlan on your router or L3 switch. this will make sure that you ports are in a separate vlan which is not routable to the internet.


HTH,

-amit singh

Actions

This Discussion