08-01-2009 04:02 PM - edited 03-06-2019 07:03 AM
How can I prevent vlans having access to other vlans?
On the 6509 and switches 3550s
08-01-2009 04:08 PM
Pedro
You can use standard acl's to limit the access between vlans. An example -
vlan 10 = 192.168.5.0/24
vlan 11 = 192.168.6.0/24
vlan 12 = 192.168.7.0/24
you want to stop traffic from vlan 10 going to vlan 11 & 12 but you still want to allow vlan 10 traffic to go out to the internet
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 permit ip any any
int vlan 10
ip access-group 101 in
Jon
08-01-2009 10:26 PM
to add to jon post
vlan ACl wil do the same job
VACL fillter traffic within the vlan and between vlans as well using same concept above
just search in cco on "VACL" you will get alot of documents
good luck
hope this helps
08-05-2009 12:03 AM
If you want to make them completely isolated and not route to anything else you have two other options:
1) Completely remove the Layer 3 interface for the Vlan from the backbone.
2) Remove the default gateways from the clients and use static routing to only allow them access to specific networks or hosts. This removes the need for complex configurations on the backbone. Arguably this isn't the most secure, but can be a quick win if security isnt the major concern.
HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide