Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
4
Replies

Blocking traffic between vlans

Go to solution
jgorman1977
Level 1
Level 1

‎12-11-2007 08:44 AM - edited ‎03-05-2019 07:56 PM

I have a guest wireless vlan (50) that connects to a cisco 3750. I want it to only allow its traffic to vlan (90) which is our firewall. I want to block it from the rest of the vlans.

Can anyone assist?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jgorman1977

‎12-11-2007 12:55 PM

Hi

How many internal vlans other than vlan 50 do you have. I'm assuming that vlan 50 is allowed out through the firewall to any other IP addresses.

Lets say you have 3 internal vlans

vlan 10 - 192.168.5.0/24

vlan 11 - 192.168.6.0/24

vlan 12 - 192.168.7.0/24

you could use the following access-list

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip 192.168.254.0 0.0.0.255 any

int vlan 50

ip access-group 101 in

This would stop vlan 50 communicating with any of the other vlans, although your other vlans could still send packets into vlan 50, but would still allow it out via the firewall.

It all depends on how many internal vlans you have.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎12-11-2007 09:05 AM

You can accomplish this with a VACL

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm

0 Helpful

Go to solution
jgorman1977
Level 1
Level 1
In response to Edison Ortiz

‎12-11-2007 12:40 PM

I'm confused on the syntax. I created a vacl to match 192.168.254.0 (guest vlan) to any and forward to vlan 90 (firewall vlan) only. I then lost internet connectivity on the internal network.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jgorman1977

‎12-11-2007 12:55 PM

Hi

How many internal vlans other than vlan 50 do you have. I'm assuming that vlan 50 is allowed out through the firewall to any other IP addresses.

Lets say you have 3 internal vlans

vlan 10 - 192.168.5.0/24

vlan 11 - 192.168.6.0/24

vlan 12 - 192.168.7.0/24

you could use the following access-list

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip 192.168.254.0 0.0.0.255 any

int vlan 50

ip access-group 101 in

This would stop vlan 50 communicating with any of the other vlans, although your other vlans could still send packets into vlan 50, but would still allow it out via the firewall.

It all depends on how many internal vlans you have.

Jon

0 Helpful

Go to solution
jgorman1977
Level 1
Level 1
In response to Jon Marshall

‎12-12-2007 10:33 AM

I implemented the ACL's, but am still able to browse the internal network. Any suggestions on what I may have missed?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card