Viewing and Configuring VLANs 219Restricting Layer 2Traffic Among Clientsin a VLANBy default, clients within a VLAN are able to communicate with oneanother directly at Layer 2. You can enhance network security byrestricting Layer 2 forwarding among clients in the same VLAN. Whenyou restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwardingonly between a client and a set of MAC addresses, generally the VLAN’sgateway routers. Clients within the VLAN are not permitted tocommunicate among themselves directly. To communicate with anotherclient, the client must use one of the specified gateway routers.You can specify up to four gateway MAC addresses. The addresses mustbe unicast (not multicast or broadcast).For networks with IP-only clients, you can restrict client-to-clientforwarding using ACLs. Use the Restrict L3 Traffic option. (See“Restricting Layer 3 Traffic Among Clients in a VLAN”.)1 Access the VLAN table:a Select the Configuration tool bar option.b In the Organizer panel, click the plus sign next to the WX switch.c Click the plus sign next to System.d Select VLANs.2 In the Content panel, select the VLAN.3 In the Task List panel, select Restrict L2 Traffic.4 Select Restrict L2 Traffic to enable the feature for the VLAN.5 Click Create.6 In a Permitted MAC Address box, edit the address to be the MAC addressof the VLAN’s gateway.7 Click Finish.8 Click OK.
