Hey networking-forum,

I have a bunch of hosts connected to a layer 3 switch.

host 1 (192.168.1.1)-----> Switch <------- host 2 (192.168.1.2)
|
|
Internet/Management

I want the hosts to be able to access the internet, but not be able to see/communicate with each other. The management would also like to be able to access the hosts. I have configured a static route from the switch to the internet/management. I am restricting the host access to each other by applying an ACL that dictates to deny all traffic coming from 192.168.1.0/24 and attempting to access 192.168.1.0/24. I have not disabled all broadcasts as I know that ARP and DHCP will not be able to function if I do.

Here is my stupid question:
Is there any other traffic, other than ARP and DHCP/RADIUS, that should be broadcasting through this switch/subnet? Will something terrible happen if I apply an ACL that dictates to block all broadcasts, except for ARP and DHCP/RADIUS requests?

Thank you for your time,
Seanny

Unless you are doing some MAC ACLs( and I don't know if it would work too) you are not going to block the broadcast traffic from the host between them since they are in the same broadcast domain(VLAN). You should configure different VLANs, in this way the broadcast traffic is isolated.

About your questions, a packet capture may bring you a clue about what another broadcast traffic are generating the hosts(may be you are going to see some SMB or SSDP crap).

Private VLAN?

Not what your question is asking but worth considering.
http://www.cisco.com/en/US/tech/tk389/t ... acad.shtml

There's a dude on this forum offering up free access to switches. If you want to test first.

hi
you can simply give command PROTECTED on each port
After doing that both port will not be able to communicate with each other.
command is something like this
Switch(config-if)# switchport protected

regards

You can do private VLANs,Protected ports, Mac acls... but if you want to allow specific services and deny specific services the best practice is to tie it all together with a Vlan ACL(VACL)

http://www.cisco.com/en/US/tech/tk389/t ... _home.html

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

I'd say setup private vlans honestly. This way you wouldn't have to worry about ACLs or adding new host to the ACL in the future. You can just put them in a vlan and go.

_________________
http://www.defendingnetworks.com/

Bear in mind though that private VLAN's are only supported on the newer (3560 and newer) Catalyst switches, if the OP is using something like a 3550 then they are SOL (as far as private VLAN's go)

_________________
---
David
CCIE R&S #38338, CCIP, CCNP

http://networkbroadcast.co.uk - My Blog
http://twitter.com/davidrothera

switchport protected works on older models

_________________
www.mellowd.co.uk/ccie/

Yeah, which as long as he is wanting to keep this setup for one switch only then the OP is ok.

_________________
---
David
CCIE R&S #38338, CCIP, CCNP

http://networkbroadcast.co.uk - My Blog
http://twitter.com/davidrothera

I have a customer who rents office space to other tenants and gives them internet access as part of the deal. We just set up different vlans (one for each tenant) and then ran access lists to block vlan/vlan traffic.

Works great.

Ben

Thanks for the replies everyone. i'm sorry that I took so long to get back to the thread.

Unfortunately, I haven't been perfectly honest with you all. You see, there are actually multiple users hanging off of each port because of wireless APs that I cannot control. On the bright side, the APs do provide user isolation.

Logically, I guess the next step is to take control of the APs, but practically, I was thinking that an aggressive anti-broadcast ACL would work.

If you want to implement something like this, you'll need full control of the network, indeed.

Personally I also prefer Private VLAN, if the switch supports it. It's easy to understand in the configuration: easy management and troubeleshooting.

_________________
http://reggle.wordpress.com