VLAN ACL - To separate one vlan from another

Answered Question
Jan 29th, 2008
User Badges:

I have configured intervlan in Multilayer switches. But i need to separate one vlan, vlan 100 from other vlan..but i just allow only subnet on vlan 100 can access the vlan 100..all other subnet in other vlan cannot access it. How the configuration works?

Correct Answer by s.arunkumar about 9 years 2 months ago

Yes,u said right regarding gateway.

VACL can be used for controlling traffic within a VLAN as well as traffic flowing in and out of a vlan


For configuration refer


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html#wp1053799


arun

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Kevin Dorrell Wed, 01/30/2008 - 02:54
User Badges:
  • Green, 3000 points or more

If you want to isolate VLAN 100 from the other VLANs, you can do that simply by not having a layer-3 entity for it.


no int vlan 100


BTW, VLAN ACL is to filter traffic within a VLAN, i.e. VLAN 100 to VLAN 100. I don't think that is what you were asking about, was it?


Have I understood your question correctly?


Kevin Dorrell

Luxembourg


a.cruea1980 Wed, 01/30/2008 - 06:45
User Badges:
  • Bronze, 100 points or more

I would be inclined to disagree.


VACLs can filter inter-vlan quite easily. We do it here where I work, and I also do the same at home.


That said, they can obviously be used intra-vlan, also.


So to answer the op, yes, you could simply create a VACL to block traffic from one VLAN to another. . .a simple statement like (IOS, not CatOS):


deny ip vlan100subnet targetvlansubnet


Would work. You would apply that inbound on the VLAN interface.

Kevin Dorrell Wed, 01/30/2008 - 06:49
User Badges:
  • Green, 3000 points or more

Yes, thinking about it, you are probably right. If you consider the SVI as just another port on the VLAN, then I guess the VACL would filter inter-VLAN traffic as well as intra-VLAN. Thanks, I shall try it out next time I have an opportunity.


Kevin Dorrell

Luxembourg


noxkrugger Thu, 01/31/2008 - 12:37
User Badges:

HI


Thanks for the info..But if I dont config the IP adrress at int vlan 100, how come the client of the vlan 100 will choose their gateway to coming out..supposely to have ip on the int vlan 100.. i need to block the incoming traffic and outgoing traffic from vlan 2,3,4,5 to vlan 100 and allow only vlan 11 to communicate with vlan 100.


how to achieve that using vlan access-map or VACL?

Can you sow me the example.


Tq

noxkrugger Thu, 01/31/2008 - 22:05
User Badges:

HI


Thanks for the info..But if I dont config the IP adrress at int vlan 100, how come the client of the vlan 100 will choose their gateway to coming out..supposely to have ip on the int vlan 100.. i need to block the incoming traffic and outgoing traffic from vlan 2,3,4,5 to vlan 100 and allow only vlan 11 to communicate with vlan 100.


how to achieve that using vlan access-map or VACL?

Can you sow me the example.


Tq

Actions

This Discussion