Solved: VLAN ACL - To separate one vlan from another

noxkrugger · ‎01-29-2008

I have configured intervlan in Multilayer switches. But i need to separate one vlan, vlan 100 from other vlan..but i just allow only subnet on vlan 100 can access the vlan 100..all other subnet in other vlan cannot access it. How the configuration works?

Collin Clark · ‎01-31-2008

Create the layer 3 interface for VLAN 100 then. Let's assume that the IP subnet for vlan 100 is 192.168.100.0 /24, VLAN 2 is 192.168.2.0 /24, etc.

I would create an ACL and apply it to the layer 3 VLAN interface.

access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 deny ip any any log

Apply in

access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 102 deny ip any any log

Apply out

This is just one way to do it.

View solution in original post

Collin Clark · ‎01-29-2008

Don't put a layer 3 address on VLAN 100.

noxkrugger · ‎01-31-2008

HI

Thanks for the info..But if I dont config the IP adrress at int vlan 100, how come the client of the vlan 100 will choose their gateway to coming out..supposely to ave ip on the int vlan 100.. i need to block the incoming traffic and outgoing traffic from vlan 2,3,4,5 to vlan 100 and allow only vlan 11 to communicate with vlan 100.

how to achieve that using vlan access-map or VACL?

Collin Clark · ‎01-31-2008