How do I prevent vlans from accessing each other?

Unanswered Question
Dec 12th, 2008

Hello all,

If I have multiple vlans on layer 3 switches and one of the vlans I don't want any other vlans to access it. How do I set it up?

thank you very much in advance for your help!

Gene

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 12/12/2008 - 13:45

Gene

Assuming vlan 10,11,12 are normal vlans & vlan 20 is the vlan you want to restrict access to

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

vlan 12 = 192.168.7.0/24

vlan 20 = 192.168.20.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip any 192.168.20.0 0.0.0.255

int vlan 20

ip access-group 101 out

Note that there is a "permit ip any 192.168.20.0 0.0.0.255" at the end of the access-list. This is to allow

any other traffic from other sources and also to allow any return traffic to vlan 20.

So this access-list would stop vlan 10,11,12 accessing any device on vlan 20. But it wouldn't stop vlan 20 device

connecting to vlan 10,11,12 devices. Key thing is the connection would have to be intiated from vlan 20 device.

Jon

gpan667788 Fri, 12/12/2008 - 13:59

Hi Jon,

Thank you very much for the solution. I will test it out.

Regards,

Gene

kj.stjernqvist Sun, 12/14/2008 - 02:56

Hi,

You say, in the last statement, that vlan 20 would be able to access devices on vlan 10,11 and 12. That is not entirely true. Devices on vlan 20 would be able to send UDP traffic to vlan 10,11, and 12 but if you try with TCP traffic the devices on vlan 20 would not be able to complete their 3-way-handshake becouse all returning traffic would be denied. (Cisco ACLs are not statefull) If you want want vlan 20 to be able to access devices on vlan 10,11 and 12 using TCP,you would have to add:

access-list 101 permit tcp any 192.168.20.0 0.0.0.255 established

at the top of your ACL.

If you want to block ALL traffic to and from vlan 20 you could simply do the following.

access-list 101 deny ip any any

or

access-list 1 deny any

int vlan 20

ip access-group 1 (or 101) out

Regards,

Karl-Johan

Jon Marshall Sun, 12/14/2008 - 04:48

Karl-Johan

"but if you try with TCP traffic the devices on vlan 20 would not be able to complete their 3-way-handshake becouse all returning traffic would be denied"

Very good point and thanks for pointing out. I was trying to point out that a packet sent from vlan 20 would still get through to the other vlans but as you say TCP connection would fail due to the return traffic.

Jon

Jerry.Acosta Fri, 10/19/2012 - 08:00

hi.. let me try this codes then... i have a project tomorrow that really needs this access listing mechanism that prevents other vlans from entering the IT vlan...

testing it now in packet tracer...

Actions

This Discussion