Blocking traffic between vlans

Answered Question
Dec 11th, 2007
User Badges:

I have a guest wireless vlan (50) that connects to a cisco 3750. I want it to only allow its traffic to vlan (90) which is our firewall. I want to block it from the rest of the vlans.


Can anyone assist?

Correct Answer by Jon Marshall about 9 years 7 months ago

Hi


How many internal vlans other than vlan 50 do you have. I'm assuming that vlan 50 is allowed out through the firewall to any other IP addresses.


Lets say you have 3 internal vlans


vlan 10 - 192.168.5.0/24

vlan 11 - 192.168.6.0/24

vlan 12 - 192.168.7.0/24


you could use the following access-list


access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip 192.168.254.0 0.0.0.255 any


int vlan 50

ip access-group 101 in


This would stop vlan 50 communicating with any of the other vlans, although your other vlans could still send packets into vlan 50, but would still allow it out via the firewall.


It all depends on how many internal vlans you have.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jgorman1977 Tue, 12/11/2007 - 12:40
User Badges:

I'm confused on the syntax. I created a vacl to match 192.168.254.0 (guest vlan) to any and forward to vlan 90 (firewall vlan) only. I then lost internet connectivity on the internal network.

Correct Answer
Jon Marshall Tue, 12/11/2007 - 12:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


How many internal vlans other than vlan 50 do you have. I'm assuming that vlan 50 is allowed out through the firewall to any other IP addresses.


Lets say you have 3 internal vlans


vlan 10 - 192.168.5.0/24

vlan 11 - 192.168.6.0/24

vlan 12 - 192.168.7.0/24


you could use the following access-list


access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip 192.168.254.0 0.0.0.255 any


int vlan 50

ip access-group 101 in


This would stop vlan 50 communicating with any of the other vlans, although your other vlans could still send packets into vlan 50, but would still allow it out via the firewall.


It all depends on how many internal vlans you have.


Jon

jgorman1977 Wed, 12/12/2007 - 10:33
User Badges:

I implemented the ACL's, but am still able to browse the internal network. Any suggestions on what I may have missed?

Actions

This Discussion