Routing between vlans on a Layer-3 switch

vidarellingsen · ‎04-02-2008

Hello,

My scenario is like this:

I have 4 vlans on a switch, 1 outside and 3 inside vlans.

vlan 5 - outside

vlan10 - inside1

vlan20 - inside2

vlan30 - inside3

vlan5 has no ip address assigned, but the 3 others have. What I want to accomplish is that traffic can float between vlan20 and vlan30, and between vlan10 and vlan20. And not between vlan10 and vlan30. How do I accomplish this? With access-lists?

Jon Marshall · ‎04-02-2008

Not 100% sure what you mean by float but presumably you mean allow traffic.

So in short you can do this with access-lists. As an example

vlan 10 = 192.168.5.0/24

vlan 20 = 192.168.6.0/24

vlan 30 = 192.168.7.0/24

For vlan 10

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip any any

int vlan 10

ip access-group 101 in

The above config does the following

1) Allows vlan 10 to communicate with vlan 20.

2) Stops vlan 10 communicating with anything else including any outside addresses. Note there is an implicit deny at the end of every access-list so you don't actually need to explicitly put in that second line.

if you wanted to allow vlan 10 talk to vlan 20 and all outside IP addresses but not vlan 30

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip any any

Jon

Tauer Drumond · ‎04-02-2008

If you want permit acess to Internet you must deny first and allow after:

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip any any

int vlan 10

ip access-group 101 out

Regards