Block ALL traffic (inc non-IP) on switch port

ajenks · ‎09-10-2008

I have 2 switches, they are connected via an access port (not trunk). I need to block ANY type of traffic between these 2 switches except a couple of hosts that I could define in an ACL.

say for example the access I wanted to permit across switches is :

192.168.0.1 -> 192.168.100.1

What type of access list configuration and (type) would I need to use to ensure ALL other traffic types where blocked (INCLUDING NON-IP TRAFFIC) ?

Would this be a MAC and/or IP based ACL ?

Presumably on either end of the link as the port based ACL will only filter inbound ?

Would a VLAN map be more extensive ? As this is only a temporary situation, I could (I assume) put a switch in between these 2, with a VLAN map applying only on this switch in the middle (to save complications on the "live" switches).

Any pointers would be appreciated.

Marwan ALshawi · ‎09-10-2008

u could put those host in each switch in the same vlan

lets say vlan 10 in switch1 and 2

make this ports as trunk ports and use the command allwed vlans and allaw only vlan 10 to pass and make sure only those hosts in vlan 10

and if u want another level of sec u can make VLAN ACL VACL that forward traffic betwen those hosts only within vlan 10

good luck

if helpful Rate

ajenks · ‎09-10-2008

I can't convert the link between the switches into a trunk. I only have access to the config of 1 switch, also the hosts are not directly on the other switch - they are accessible through it.

I am dealing with a provider cloud.

As I need to apply this temporarily, I was prepared to put a switch in between the current 2 switches, in order to have control of the interfaces at either end of link.

Sorry, I didn't expain this before, but I don't think I can create the required affect, by VLAN configuration.