Solved: VLAN ACL - To separate one vlan from another

noxkrugger · ‎01-29-2008

I have configured intervlan in Multilayer switches. But i need to separate one vlan, vlan 100 from other vlan..but i just allow only subnet on vlan 100 can access the vlan 100..all other subnet in other vlan cannot access it. How the configuration works?

Istvan_Rabai · ‎01-29-2008

Hi,

As far as I understand, you configured inter-vlan routing in a multilayer switch and you want to disable all other vlans to access vlan100 subnet or hosts on vlan100 to access other vlans.

If you configured interface vlan100 with an ip address, then you just have to remove the ip address from interface vlan100 with the "no ip address" command. Then there will be no routing on that interface and vlan100 will be completely isolated from other vlans.

Also, if vlan100 is configured on multiple switches, then you will need to configure a layer2 trunk between the switches that will carry vlan100:

To configure a trunk:

interface gigabitethernet 1/1

switchport

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100

no shutdown

Configure the trunk on both switches on both sides of a trunk link of course.

Is this what you wanted?

Cheers:

Istvan

View solution in original post

Istvan_Rabai · ‎02-02-2008

Hi,

You can configure VACLs but it may not be a scalable method to achieve your purpose.

From scalability and manageability point of view Cisco recommends to apply security or traffic optimization purpose traffic filtering on layer 3 intefaces in the distribution layer switches.

Therefore I suggest to apply an access-list to the vlan100 interface on your multilayer switch or switches.

If you want to configure VACLs anyway, I would suggest to look at this URL, as I haven't got enough space here to describe it:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

Cheers:

Istvan

View solution in original post

Istvan_Rabai · ‎01-29-2008

Hi,

As far as I understand, you configured inter-vlan routing in a multilayer switch and you want to disable all other vlans to access vlan100 subnet or hosts on vlan100 to access other vlans.

If you configured interface vlan100 with an ip address, then you just have to remove the ip address from interface vlan100 with the "no ip address" command. Then there will be no routing on that interface and vlan100 will be completely isolated from other vlans.

Also, if vlan100 is configured on multiple switches, then you will need to configure a layer2 trunk between the switches that will carry vlan100:

To configure a trunk:

interface gigabitethernet 1/1

switchport

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100

no shutdown

Configure the trunk on both switches on both sides of a trunk link of course.

Is this what you wanted?

Cheers:

Istvan

noxkrugger · ‎01-31-2008

HI

Thanks for the info..But if I dont config the IP adrress at int vlan 100, how come the client of the vlan 100 will choose their gateway to coming out..supposely to ave ip on the int vlan 100.. i need to block the incoming traffic and outgoing traffic from vlan 2,3,4,5 to vlan 100 and allow only vlan 11 to communicate with vlan 100.

how to achieve that using vlan access-map or VACL?

Istvan_Rabai · ‎02-02-2008

Hi,

You can configure VACLs but it may not be a scalable method to achieve your purpose.

From scalability and manageability point of view Cisco recommends to apply security or traffic optimization purpose traffic filtering on layer 3 intefaces in the distribution layer switches.

Therefore I suggest to apply an access-list to the vlan100 interface on your multilayer switch or switches.

If you want to configure VACLs anyway, I would suggest to look at this URL, as I haven't got enough space here to describe it:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

Cheers:

Istvan