To stop communcation among vlans at L3

itindia · ‎04-24-2008

Hi,

I created vlans on L3(3560) and is able to route the all vlans to internet using a router.

internet...>router(natting)...>Switch(L3 3560 with 5 vlans).

All seems to working fine where i want to use different vlans and access internet.Now 5 vlans created on the L3 are able to access each other as well.Do let me know what all am I missing.

e.g vlan 2 192.168.1.0/24 and Vlan 3 192.168.2.0/24 are able to go internet as ip routing is enabled on the switch and backward route is defined on the router.But user on vlan2 are also able to access vlan3 network,which i don't want.

My first purpose to get all valns to internet has been solved but the second one securing vlan is there.

Please help.

Reg,

Sushil

Jon Marshall · ‎04-24-2008

Sushil

You need to apply acl's to your vlan interfaces eg.

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255

etc for each vlan

access-list 101 permit ip any any

the permit ip any any at the end of the access-list is for internet access.

int vlan 2

ip access-group 101 in

You need to do this for each of your internal vlans.

Jon

ilnaiduccna · ‎04-24-2008

Hi jon,

Sorry for the intrupt, i have one doubt in your post that is you told that

"You need to aply acl's to your vlan interfaces"

Actually ACL's we can define in L3 as per IP's am i right? is it enoughf

sorry if there any mistakes.

Regards,

Naidu.

Jon Marshall · ‎04-24-2008

Naidu

Not sure i understand. The ACL's are using IP addresses but the vlan interfaces are the SVI's (Switched Virtual Interface) which are the L3 interface on a L3 switch.

Jon

itindia · ‎04-24-2008

Hi Jon,

Thanks a lot.Your input solved my problem.

My sincere thanks to you.

Reg,

Sushil

ilnaiduccna · ‎04-24-2008

Jon,

Yes your clear but i just bit confused.

Regards,

Naidu.