Isolate clients on same subnet?

Posted by stefan.at.wpf on Server Fault See other posts from Server Fault or by stefan.at.wpf
Published on 2012-06-03T11:11:27Z Indexed on 2012/06/03 16:42 UTC
Read the original article Hit count: 300

Given n (e.g. 200) clients in a /24 subnet and the following network structure:

client 1 \
.         \
.          switch -- firewall
.         / 
client n /

(in words: all clients connected to one switch and the switch connected to the firewall)

Now by default, e.g. client 1 and client n can communicate directly using the switch, without any packets ever arriving the firewall. Therefore none of those packets could be filtered. However I would like to filter the packets between the clients, therefore I want to disallow any direct communication between the clients.

I know this is possible using vlans, but then - according to my understanding - I would have to put all clients in their own network. However I don't even have that much IP addresses: I have about 200 clients, only a /24 subnet and all clients shall have public ip addresses, therefore I can't just create a private network for each of them (well, maybe using some NAT, but I'd like to avoid that).

So, is there any way to tell the switch: Forward all packets to the firewall, don't allow direct communication between clients? Thanks for any hint!

© Server Fault or respective owner

Related posts about firewall

Related posts about routing