Command for Bogus VLAN

Unanswered Question
May 10th, 2007

All, what is the command to set a port in a VLAN that will take the end user no where? I am wanting to tighten down security on un-used ports. Is there a command that will take the end user only out to the internet?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 05/10/2007 - 04:24

Hi

If you want to stop a user on the port communicating with any other vlan and only allowing internet traffic you could use an access list on the vlan interface.

If you want to stop a user on the port talking to any other vlan and any machine within the vlan you could look at VACL's which allow you to filter traffic within a vlan.

What we do here is to shut down all unused ports and allocate them into a vlan that is non-routable. So even if the port is accidentally brought up the user can't get anywhere.

HTH

Jon

rwamstutz Thu, 05/10/2007 - 04:32

Jon, what is the command line you use to allocate them into a VLAN that is non-routable?

Amit Singh Thu, 05/10/2007 - 04:45

You can assing the ports to a vlan using the command below:

switch# vlan database

Switch(vlan)# vlan x

config t

interface range fa 0/1 - 10

switchport access vlan x --> a bogus vlan on your switch

Make sure that you dont create an L3 interface for this vlan on your router or L3 switch. this will make sure that you ports are in a separate vlan which is not routable to the internet.

HTH,

-amit singh

Actions

This Discussion