VLan Security at the Router

Unanswered Question
Jan 11th, 2008

I'm looking for any example code of the following, I think I know how to handle this, but I'd like to see some kind of example to go by.

I currently have 3 sites. Each site has at least one 3560 switch and each site has a 2800 router. (One site has a 2821, one has a 2811, and one has a 2801). Each site is connected to the two others via point to point T1 (3 T1's Total). Everything is working between them. I also have 4 VLans connected that potentially can already see each other

1-Native/Cisco Gear



4-Wireless Data

I'd like to add another VLan

9-TV Network

There is one TV Appliance at each of our buildings and a computer that sends out data to the Appliances. I have the VLan added on each switch and each switch has the port setup correct. I also have the 3 routers setup correct so that the Computer can see all 3 Appliances. What I'm looking for next is how to only allow the appliances to see each other, but Deny VLan 9 from Accessing any other VLan with the Exception of a single IP address on VLan 2 (The internet Gateway). I think this can be done via access-lists but I'm open to other suggestions or looking for an example so I don't accidentally deny all traffic on the router. Thank you!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Fri, 01/11/2008 - 16:59

I'm assuming you are doing inter-vlan routing on the 3560 switch instead of the 28xx router ?

If so, just place the ACL Vlan 9

interface vlan 9

ip access-group TV in

ip access-list extended TV

permit ip host [single ip address] host [TV appliance]

A implicit denied all will be part of the ACL.




tdorschner Fri, 01/11/2008 - 18:41

Actually, the 28xx router does the inter-vlan routing. I have Call Manager and the 28xx routers contain the interface for the PRI (Phone) and I have Call Manager. If i had just one site, i think managing this on the Switch would be very easy, but this v-lan needs to span over the WAN.

Site A

V1 - 172.16.11.x/24

V2 - 172.16.1.x/24

V3 - 172.16.12.x/24

V4 - 172.16.13.x/24

V9 - 172.16.201.x/24

Site B

V1 - 172.16.21.x/24

V2 - 172.16.2.x/24

V3 - 172.16.22.x/24

V4 - 172.16.23.x/24

V9 - 172.16.202.x/24

Site C

V1 - 172.16.31.x/24

V2 - 172.16.3.x/24

V3 - 172.16.32.x/24

V4 - 172.16.33.x/24

V9 - 172.16.203.x/24

The IP's to know are:

Site A -

TV -

Computer -

28xx Router -

Pix Gateway to the Internet - (Vlan 2)

Site B -

TV -

28xx Router -

Site C -

TV -

28xx Router -

Edison Ortiz Sat, 01/12/2008 - 07:16

I highly recommend moving your inter-vlan routing at the switch. Your network performance (local connectivity) will improve tremendously. Once you make the change, then deploy the desired ACLs.

I don't understand when you mentioned the Vlans need to expand over the WAN. You are routing between locations, not bridging. Your Vlans are being routed over the WAN so they don't expand, they are announce as routes. You can do the same with having the 3560 as the inter-vlan router. Configure a dynamic routing protocol between the 3560 and 28xx and you are set. Use RIPv2 or EIGRP since they are easier to implement.

If you have any more questions, don't hesitate to post back.





This Discussion