Hello to All
Introduction:
--------------------------
In a network that have several Vlans,we can control communicating between Vlans.
For example, a client in range 192.168.100.0/24 with a client in range 192.168.111.0/24.
Because these clients are in two different Vlans,thus for communicating to each other, they have to pass from router(Make routing).
and it's possible to make any rule in firewall(for example drop port 22)
--------------------------
Now the question:
To prevent clients from communicating belongs to a Vlan What should I do?
For example: The system that have address of 192.168.100.12 can not communicate with the system that have address of 192.168.100.18.
Thank 's much.

It's simple: use single vlan for each devices.

hmmm rextended
i have almost 2500 devices
how it's possible.
2500 dhcp server and vlan!
it's not practical.
Thanks.

I assume you have a bridge configured.
Set use-ip-firewall to yes under bridge settings.

Hi Dear Rudios
I have not a bridge configured.
It's possible to find the answer with bridge?
If yes,How pleases?

But if you do not use bridges, then you probably have a dedicated separate switch connected to the routerboard interfaces for each VLAN/IP segment.
If that is the case, then what you want is impossible because traffic from any 192.168.100.0 system to any other system in that same subnet never traverse the router.
But maybe you can give a brief topology overview.

It's possible to find the answer with bridge?
If yes,How pleases?

hmmm rextended
i have almost 2500 devices
how it's possible.
2500 dhcp server and vlan!
it's not practical.
Thanks.

>>> To prevent clients from communicating

This is absurd....

hmmm rextended
i have almost 2500 devices
how it's possible.
2500 dhcp server and vlan!
it's not practical.
Thanks.

>>> To prevent clients from communicating

This is absurd....

Why is absurd!
assume wanna to prevent a worm in network that published via special port.
this is not a communicating between clients?
Please read whole of post first.

You must reconfigure from zero your network.

It's impossible to block transmisson from one pc to another if they have between only one switch...

I not think you have one unique switch / router with 2500 ethernet ports...

rextended your answers are irrational! Because:
------------------------
Your First answer was:
==>" It's simple:use single vlan for each devices."
and i told that:
{
hmmm rextended
i have almost 2500 devices
how it's possible.
2500 dhcp server and vlan!
it's not practical.
Thanks.
}
------------------------
Your Second Answer was:
==>">>> To prevent clients from communicating
This is absurd...."
and i told that:
{
Why is absurd!
assume wanna to prevent a worm in network that published via special port.
this is not a communicating between clients?
Please read whole of post first.
}
------------------------
Your Third Answer was:
"
1-You must reconfigure from zero your network.
2-It's impossible to block transmisson from one pc to another if they have between only one switch...
3-I not think you have one unique switch / router with 2500 ethernet ports..."
and now i tell that:
{
from your 1 and 2 answer in below:
1-You must reconfigure from zero your network.
2-It's impossible to block transmisson from one pc to another if they have between only one switch...
if [1]it's impossible to block transmission[2]why i must reconfigure my network!
you think your answer is rational?
}
------------------------
you told in second post that "This is absurd...." and then post later!!
if this is absurd why you posted again?
------------------------

It's a joke?

You really think that I waste my time to write one APPROPIATE answer for that?

Do not try to find irractionality on my answer, first search irrationality on your question.

I think you must study IP protocol first, before ask the impossible.

Or you reconfigure ALL your network (substitute all the switch with "router" or similar and/or reconfigure each devices),
or with only one remote routers you can not block any communication between machines, if between machines are only unmanaged switch

And if I misunderstand ANY about your network configuration, remember: you do not have explained how is made.
(Like you "miss" to write: 2500 devices...)

Assuming mousa1983 is not playing expert role but rextended does. Therefore at least on second or third turn should rextended ask for additional information that from his point of view mousa1983 didn't provided.

Maybe we can start all over.
If mousa1983 can post his question(s) again, as clear as possible we can give some helpfull comment.

I have one Cisco 3750 switch,about 20 Cisco 2950/2960.and about 15 Access point in my network.
All switch are managed switch.
in all switch i define VLAN and every thing work properly.
All Access points belong to a vlan.

I have one Cisco 3750 switch,about 20 Cisco 2950/2960.and about 15 Access point in my network.
All switch are managed switch.
in all switch i define VLAN and every thing work properly.
All Access points belong to a vlan.

And what are you trying to achieve?
If you want to block traffic between two clients connected to the same AP/VLAN than I have to disappoint you in saying that it is impossible.
Traffic that flows within one and the same subnet never traverse outside the switch/VLAN it is on, so not router/firewall will be able to intercept the traffic.

I know that clients belong to same VLAN,communicate with each other from layer 2 of OSI Model(Data Link).
and Router(MT) work on Layer 3 of OSI Model(Network).
I Know Basic concepts of network and read some books about it.
But i hoped that maybe there is a method to sole this problem.

When you release information, you can have better answer, (usable or not )

You can create one vlan for each port on cisco switch?

You can block some type of traffic disabling "default forwarding" and/or enabling "ap isolation" on access-point (the name used can change between constructors),
is for preventing communication between two wireless client connected on same access-point.

and also on some access-point are present a sort of firewall.

I have one Cisco 3750 switch,about 20 Cisco 2950/2960.and about 15 Access point in my network.
All switch are managed switch.
in all switch i define VLAN and every thing work properly.
All Access points belong to a vlan.

Like it's already written here - with such setup (only Layer 2 between the end hosts) it will be hard to achieve such a control over Layer 3 parameters. For the platforms mentioned, I don't think it's possible. Cat3750 and Cat 2950 do not have such features. You can filter some traffic base on Layer 2 parameters, but not on Layer 3, and it's because the traffic between the switch ports is switched, not routed.
I've seen that with RouterOS you can enable Firewall Filter on a Bridge interface and there you could filter based not only on Layer 2 parameters, but also on Layer 3.
And with a bridge interface you could associate several physical ports. I haven't so far used Firewall Filter on a bridge interface, so whether it works properly, I cannot say. But it looks like an option. The problem in your case though is that you'll have to restructure your topology completely...