I try to isolate all Clients in a vlan from each other. The clients should only be able to reach the router. On some ports clients would be connect in the vlan via third party wlan access points.
My first idea was to create a switch rule that match the vlan and set the destination port. But there is the problem that the switches only accept one destination port. But their more then one, because the Spanningtree Protocol is enabled.
The second idea is to redirect this vlan to the cpu. But here all packets are dropped. (The packets don`t find the destination. I think i forgot additional configuration).
The third option is to deactivate hardware offloading on affected ports. But here will be a problem with high traffic vlan on mixed uplink ports.
The affected vlan is for IoT, also low traffic.
Have someone a best practice?
Thank you
Game over. Traffic does not even reach your CRS in this case. Maybe your APs support client isolation. Then it could work together with port isolation on the CRS.
In this case the AP Client isolation will not work. Then the switch must do this. In this case I can`t use the port Isolation, bevause their other VLANs that then do not work.
when i used old cisco 2950, i've created acl applied on all distribution ports with wildcards masks, i don't remember exactly but something like that :
172.26.0.0 0.0.255.255 to 172.26.0.0 0.0.255.255 deny
172.26.0.0 0.0.255.255 to 0.0.0.0 255.255.255.255 allow
Not sure of the syntax, but no traffic possible between "normally" configured devices, but all external possible. For sure, if someone use L2 vlan and add others addresses, it's possible...
