04-09-2009 03:31 AM - edited 03-04-2019 04:18 AM
Hello All,
I have 4 vlans,Vlan-2 (192.168.2.0/24) Vlan-3 (192.168.3.0/24) Vlan-4 (192.168.4.0/24) and Vlan-5 (192.168.5.0/24).
I'm using a cisco 3750 to do all my layer 3 traffic.
My Network Design:
I have enable the switchport trunk encapsulate dot1q on int fa1/0/2 and created vlan and enable all vlan pass through the interface fa1/0/2,
from fa1/0/2 i connected to L2 Switch and enable trunk on L2 Switch and associated diffrent port with diffrent vlan.
What would be the easiest way to use ACLs to prevet any Vlan to talking to any Vlan ?
Thanks in advance for your help.
Solved! Go to Solution.
04-09-2009 08:26 AM
You don't say what the LAN server address is but assuming it isn't on one of the 4 vlans -
So from the perspective of vlan 2
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255
192.168.4.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip any any
int vlan 2
ip access-group 101 in
and then you need to repeate the above from the perspective of each of your vlans ie
vlan 3
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
etc....
Jon
04-09-2009 03:32 AM
There are various methods. One, is disable L3 in the switch, as it seems you don't need it at all.
04-09-2009 03:37 AM
Hi Bevilacqua.
what it will do.can you explain me please.
Regards
Kiran Kumar CH
04-09-2009 03:53 AM
Kiran:
Disabling L3 switching on your 3750 will kill all inter-vlan routing functions, as well as routing anyhwere else.
If you dont want these vlans to communicate with each other, with whom should they be communicating?
With anyone outside their own vlan?
Victor
04-09-2009 04:02 AM
They should only communicae with the DMZ Server,Lan server and Internet thats it
Regards
Kiran Kumar CH
04-09-2009 03:40 AM
I would like to use ACL for this because in future i may allow some trafic to pass through the vlan.
What would be the easiest way to use ACLs to prevet any Vlan to talking to any Vlan ?
04-09-2009 08:26 AM
You don't say what the LAN server address is but assuming it isn't on one of the 4 vlans -
So from the perspective of vlan 2
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255
192.168.4.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip any any
int vlan 2
ip access-group 101 in
and then you need to repeate the above from the perspective of each of your vlans ie
vlan 3
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
etc....
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: