05-10-2007 04:12 AM - edited 03-05-2019 03:59 PM
All, what is the command to set a port in a VLAN that will take the end user no where? I am wanting to tighten down security on un-used ports. Is there a command that will take the end user only out to the internet?
05-10-2007 04:24 AM
Hi
If you want to stop a user on the port communicating with any other vlan and only allowing internet traffic you could use an access list on the vlan interface.
If you want to stop a user on the port talking to any other vlan and any machine within the vlan you could look at VACL's which allow you to filter traffic within a vlan.
What we do here is to shut down all unused ports and allocate them into a vlan that is non-routable. So even if the port is accidentally brought up the user can't get anywhere.
HTH
Jon
05-10-2007 04:32 AM
Jon, what is the command line you use to allocate them into a VLAN that is non-routable?
05-10-2007 04:45 AM
You can assing the ports to a vlan using the command below:
switch# vlan database
Switch(vlan)# vlan x
config t
interface range fa 0/1 - 10
switchport access vlan x --> a bogus vlan on your switch
Make sure that you dont create an L3 interface for this vlan on your router or L3 switch. this will make sure that you ports are in a separate vlan which is not routable to the internet.
HTH,
-amit singh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: