limiting vlans acces

Unanswered Question
Jon Marshall Sat, 08/01/2009 - 16:08

Pedro

You can use standard acl's to limit the access between vlans. An example -

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

vlan 12 = 192.168.7.0/24

you want to stop traffic from vlan 10 going to vlan 11 & 12 but you still want to allow vlan 10 traffic to go out to the internet

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip any any

int vlan 10

ip access-group 101 in

Jon

Marwan ALshawi Sat, 08/01/2009 - 22:26

to add to jon post

vlan ACl wil do the same job

VACL fillter traffic within the vlan and between vlans as well using same concept above

just search in cco on "VACL" you will get alot of documents

good luck

hope this helps

cbeswick Wed, 08/05/2009 - 00:03

If you want to make them completely isolated and not route to anything else you have two other options:

1) Completely remove the Layer 3 interface for the Vlan from the backbone.

2) Remove the default gateways from the clients and use static routing to only allow them access to specific networks or hosts. This removes the need for complex configurations on the backbone. Arguably this isn't the most secure, but can be a quick win if security isnt the major concern.

HTH.

Actions

This Discussion