Access control within a VLAN

Unanswered Question
Jun 30th, 2008

Hi All

Here's my setup:




l3sw1 has vlan interfaces configured for VLAN100 and VLAN200 and is routing between the two.

Each server is on the same VLAN (200) and needs to reach r1 and beyond.

However, I dont want the servers to be able to communicate with each other.

I dont believe private VLAN's will work here and I think MAC access lists would be possible but get quite messy with many hosts on VLAN 200.

Are there any other options?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
lee.reade Mon, 06/30/2008 - 02:29


You can do this via switchport protected,

basically when two ports are configured with this command, they cannot communicate with each other directly, they can only communicate with ports in that vlan that are not configured with switchport protected!




ccannon88567 Mon, 06/30/2008 - 03:18

Great Info LR, but I have an extra Q.

Does this affect only the VLAN in which Switchport Protected is configured?

Say I have server 1 in vlan 10 with sw protected, and I have server 2 in vlan 20 also with switchport protected - can the server 1 still communicate with server 2 ? Is the protected mode only locaclly significant to the vlan or does it span the switch fabric?

lee.reade Mon, 06/30/2008 - 03:24


This strictly a layer 2 and local to the switch thing, so in the scenario you describe, server 1 and server 2 will be able to communicate, they will route via their default gateway to other server.

For blocking server to server on different vlans, you should look at configuring access-list on the default gateway interfaces.




ccannon88567 Mon, 06/30/2008 - 03:30

I never knew about switchport protected - this would be great to make mini broadcast domains on a server vlan.

Thanks for the info LR.

jamesl0112 Mon, 06/30/2008 - 03:30

Switchport protected is locally significant - so if you had a protected port in say vlan 10, it would be able to communicate with a protected port in vlan 10 on another switch.

However if they are in different vlans (and there is no L3 device providing inter-vlan communication) they would not be able to communicate anyway.

mattbauer Mon, 06/30/2008 - 19:09

Hi LR, all

Thanks for the info. I didnt know about the "switchport protected" command. That looks great, but I have one further possible requirement. There may be a situation where one or two servers *will* need to talk to each other, but not to anyone else on that VLAN. It doesnt look like switchport protected command has any flexibility.

Any other thoughts on this?


(PS, I didnt realize my diagram screwed up when I posted it. It's incredibly simple, but Ive attached it again here, just in case).

jamesl0112 Tue, 07/01/2008 - 02:58

If you have a couple of servers that need to talk to each other, but no-one else - would you be able to put them in their own VLAN?

mattbauer Tue, 07/01/2008 - 16:50

No, I cant do that. This particular setup is very restrictive. I dont have any flexibility to change the VLAN.

But I think it's ok. Im pretty sure the switchport protected will be enough.

Thanks everyone for the help.

mattbauer Mon, 07/07/2008 - 03:41

I just realized that this command ("switchport protected") is not supported on my 4948.

I do have "switchport port-security", but it doesnt look like that's what I want. It seems to be used for locking down based on MAC address.

"switchport protected" was perfect. Is there something like this I can use on my 4948 running 12.2(31)SGA4?


This Discussion