Confused by VLAN

Jerry,

You mention that A,B,C & D are devices. Then you suggest that "B" attach to both VLAN 1 & VLAN 2. This would not be possible unless there were two seperate interfaces (physical or logical) in device "B".

- the same problem exists with device "C".

IF both "B" and "C" have two interfaces on different subnets as well as different VLANs - AND there is no router between said subnets/VLANs, then what you propose may work.

If A,B,C & D are on the same subnet, then seperating them with VLAN's is not the way to do it. - You might want to look into an IOS command "port protected"

J.Cottingim

or try private vlans

I don't think either "port protected" or private VLAN will solve your equation. You MAY have to do some combination of private VLAN and "port protected". But I doubt that would work either.

The easiest/clearest solution in my opinion would be to have [at minimum] 2 subnets and use a router (or firewall) to limit exposure. - Subnet 1 would contain A & B - Subnet 2 would contain C & D

your ACLs should look something this:

access-list 1 deny ip host A host D access-list 1 deny ip host B host D access-list 1 permit ip any any

access-list 2 deny ip host C host A access-list 2 permit ip any any

apply ACL 1 to the incomming traffic on the interface facing A & B. apply ACL 2 to the incomming traffic on the interface facing C & D.

J.Cottingim