I would like to block ping in the same network, we have Guest Network 10.x.x.x/24 and we dont want them to contact each other computers. We dont have FW and only can use Routers. Could some one tell me how do I do that, should I use ACL and how ? or do we need route map and how ?.
Any help will be appreciated.
The problem is none of the traffic between devices on the same VLAN will traverse the router. Since they are on the same VLAN / IP Subnet all traffic will stay on the switch.
The only thing i can think off now is to configure router on a stick with multiple /30 sub interfaces on the router interface connecting to the switch. With a /30 you can have 2 host per network, one for the guest device and one for its default gateway aka the router sub interface. You'd then use an ACL to prevent each /30 from talking to each other.
Are you asking if you can use policy routing instead of /30's? If so the answer is no. Per my previous comment the traffic isn't even going to hit the router if all devices use a /24
PVLAN is the right solution. Unfortunately you can't do this. Whatever solution you come up with won't be pretty/optimal.
I found a switch that has private vlan option, now here is the design
Router --- connect to Switch1 --connect to Switch2 --connect to AP
I am going to configure switch 2 port that connected to AP as isolated so should work I believe.