vlan security

Answered Question
Oct 19th, 2009

i have a requirement to do security on specific vlan. Only this segment needs to go out to access some applications.

Can i do it by creating a layer2 vlan which would not allow it to mingle with other segments within?

Please advise if this is fine or if there is any other way to do this.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
sharma16031981 Mon, 10/19/2009 - 20:03


Use access list matching you internal host IP's and hosts on other subnet. you can just allow port specific access with extended list.

you need to apply access list on L3 interface for that vlan.


suthomas1 Mon, 10/19/2009 - 22:03

Apparently, we'r trying to do away with L3 here and just have a L2 vlan which would restrict the movement with that vlan itself. But further to restrict within that vlan , do we have an option.


Jon Marshall Mon, 10/19/2009 - 22:13

"But further to restrict within that vlan , do we have an option."

Yes, you can use vlan access lists (VACLs) which allow you to control traffic between hosts within the same vlan. Which switch are you using ?. If you look at the configuration guide for your switch there will be examples of using VACLs.


arumugasamy Tue, 10/20/2009 - 00:36

Thanks for your info.

We already opened the TAC case and they asked to use ACL to allow only this LMS to poll the device. It is coming from only one device not from all.

Should I remove all the snmp config from the switch and re-apply it?

Shall I copy the same config from the working core 01 and apply to the second core 02?

Could u provide the patch URL page.



This Discussion