Re: [m0n0wall] Isolating users with managed switch

From:	"Chris Buechler" <cbuechler at gmail dot com>
Cc:	"Monowall Support List" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Isolating users with managed switch
Date:	Sun, 15 Jul 2007 15:14:34 -0400

On 7/15/07, A dot L dot M dot Buxey at lboro dot ac dot uk <A dot L dot M dot Buxey at lboro dot ac dot uk> wrote:
> Hi,
>
> > I want to isolate users (Block NetBios so comps cant see each other, or use
> > VLANs some how).
> >
> > I know if I want  to do it with regular wired network I need to use managed
> > switch, but I never used them so what function will I need to block net
> > bios? How can I setup vlans to achieve same results? Any particular models
> > for cheap prices?
>
> if you use VLANs you can simply put each user on a different one and
> not allow them to talk at the router. a simpler way is to just use
> a decent switch that has private VLAN or port seperation function .eg.
> Cisco 2950/2960 series which has 'switchport protected' so hosts
> cant see each other directly through the switch...or at all if you
> decide so as the VLAN termination/router.

Yeah that's also what I would recommend, PVLAN if you have Cisco
switches or others that support the same.

Alternatively, you could create a unique VLAN for every single port,
but that'd be a real pain to setup.

http://www.cisco.com/warp/public/473/63.html
"The PVLAN edge (protected port) is a feature that has only local
significance to the switch, and there is no isolation provided between
two protected ports located on different switches. A protected port
does not forward any traffic (unicast, multicast, or broadcast) to any
other port that is also a protected port in the same switch.
Therefore, it provides isolation. Traffic cannot be forwarded between
protected ports at Layer 2. All traffic passing between protected
ports must be forwarded through a Layer 3 device."

-Chris