HPE Community
HPE Aruba Networking & ProVision-based
1830250 Members
2718 Online
110000 Solutions
New Discussion

Re: Source port filtering with STP

 
miken32
Occasional Advisor

‎08-05-2013 04:34 PM

‎08-05-2013 04:34 PM

Source port filtering with STP

In smaller networks we've successfully used source port filtering to prevent client-client communication. Packets to all ports except the uplink are dropped, and all is well.

 

In a larger network, where we use spanning tree to provide some redundancy, this strategy fails because traffic has to be allowed to multiple uplink ports. So traffic between clients on the same switch is blocked, but clients on adjacent switches could communicate.

 

One possibility is an ACL on the client traffic, restricting it to the gateway's MAC address. Unfortunately this would require manual configuration on each switch in the event the gateway ever changes.

 

Any other solutions to this design problem?

0 Kudos
4 REPLIES 4
Vince_Whirlwind
Trusted Contributor

‎08-05-2013 07:23 PM

‎08-05-2013 07:23 PM

Re: Source port filtering with STP

In a larger network, you might have central policy with enforcement on the endpoint, eg, Windows firewall.

 

Doing this on a switch is the sort of thing "Private VLANs" was invented for. Check it out.

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎08-05-2013 07:25 PM

‎08-05-2013 07:25 PM

Re: Source port filtering with STP

Alternatively, each switch can have a subnet/VLAN assigned to it. Traffic between switches will thus have to be routed via your "core", and simple IP-based ACLs can be applied on the VLAN interfaces.

0 Kudos
miken32
Occasional Advisor

‎08-05-2013 09:13 PM

‎08-05-2013 09:13 PM

Re: Source port filtering with STP

Thanks for your thoughts; unfortunately this is a public access network, all BYOD, so I have no idea what's going to get connected to these ports.

 

I've not heard much about Private VLANs in the HP world, but remember it vaguely from Cisco training years ago. It's essentially a separate VLAN for every port, correct?

 

A separate VLAN for each switch sounds more promising, although having 60-70 VLANs on the router is not ideal for a simple configuration!

 

0 Kudos
Vince_Whirlwind
Trusted Contributor

‎08-06-2013 04:15 PM

‎08-06-2013 04:15 PM

Re: Source port filtering with STP

1 VLAN/subnet per floor switch is actually kind of simple, and it has other benefits, but yes, it means creating a VLAN interface for each VLAN/subnet, so it turns into a pretty long config. I think it remains pretty easy to understand and maintain, though.

 

Private VLANs aren't so much as you describe, they are more 1 VLAN, lots of ports, but each port can only communicate via the switch uplink port, not with each other. Your environment might be a bit big for that to be the most efficient way to do it, though.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.