Solved: Deny VLAN-VLAN Communication using (explicit rule)

chamakura.kiran · ‎04-09-2009

Hello All,

I have 4 vlans,Vlan-2 (192.168.2.0/24) Vlan-3 (192.168.3.0/24) Vlan-4 (192.168.4.0/24) and Vlan-5 (192.168.5.0/24).

I'm using a cisco 3750 to do all my layer 3 traffic.

My Network Design:

I have enable the switchport trunk encapsulate dot1q on int fa1/0/2 and created vlan and enable all vlan pass through the interface fa1/0/2,

from fa1/0/2 i connected to L2 Switch and enable trunk on L2 Switch and associated diffrent port with diffrent vlan.

What would be the easiest way to use ACLs to prevet any Vlan to talking to any Vlan ?

Thanks in advance for your help.

Jon Marshall · ‎04-09-2009

You don't say what the LAN server address is but assuming it isn't on one of the 4 vlans -

So from the perspective of vlan 2

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 deny ip 192.168.2.0 0.0.0.255

192.168.4.0 0.0.0.255

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip any any

int vlan 2

ip access-group 101 in

and then you need to repeate the above from the perspective of each of your vlans ie

vlan 3

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

etc....

Jon

View solution in original post

paolo bevilacqua · ‎04-09-2009

There are various methods. One, is disable L3 in the switch, as it seems you don't need it at all.

chamakura.kiran · ‎04-09-2009

Hi Bevilacqua.

what it will do.can you explain me please.

Regards

Kiran Kumar CH

lamav · ‎04-09-2009

Kiran:

Disabling L3 switching on your 3750 will kill all inter-vlan routing functions, as well as routing anyhwere else.

If you dont want these vlans to communicate with each other, with whom should they be communicating?

With anyone outside their own vlan?

Victor

chamakura.kiran · ‎04-09-2009

They should only communicae with the DMZ Server,Lan server and Internet thats it