limiting vlans acces

Unanswered Question
Jon Marshall Sat, 08/01/2009 - 16:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pedro


You can use standard acl's to limit the access between vlans. An example -


vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

vlan 12 = 192.168.7.0/24


you want to stop traffic from vlan 10 going to vlan 11 & 12 but you still want to allow vlan 10 traffic to go out to the internet


access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip any any


int vlan 10

ip access-group 101 in


Jon

Marwan ALshawi Sat, 08/01/2009 - 22:26
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

to add to jon post


vlan ACl wil do the same job

VACL fillter traffic within the vlan and between vlans as well using same concept above


just search in cco on "VACL" you will get alot of documents


good luck

hope this helps

cbeswick Wed, 08/05/2009 - 00:03
User Badges:

If you want to make them completely isolated and not route to anything else you have two other options:


1) Completely remove the Layer 3 interface for the Vlan from the backbone.

2) Remove the default gateways from the clients and use static routing to only allow them access to specific networks or hosts. This removes the need for complex configurations on the backbone. Arguably this isn't the most secure, but can be a quick win if security isnt the major concern.


HTH.

Actions

This Discussion