limiting vlans acces

par13 · ‎08-01-2009

How can I prevent vlans having access to other vlans?

On the 6509 and switches 3550s

Jon Marshall · ‎08-01-2009

Pedro

You can use standard acl's to limit the access between vlans. An example -

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

vlan 12 = 192.168.7.0/24

you want to stop traffic from vlan 10 going to vlan 11 & 12 but you still want to allow vlan 10 traffic to go out to the internet

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip any any

int vlan 10

ip access-group 101 in

Jon

Marwan ALshawi · ‎08-01-2009

to add to jon post

vlan ACl wil do the same job

VACL fillter traffic within the vlan and between vlans as well using same concept above

just search in cco on "VACL" you will get alot of documents

good luck

hope this helps

cbeswick · ‎08-05-2009

If you want to make them completely isolated and not route to anything else you have two other options:

1) Completely remove the Layer 3 interface for the Vlan from the backbone.

2) Remove the default gateways from the clients and use static routing to only allow them access to specific networks or hosts. This removes the need for complex configurations on the backbone. Arguably this isn't the most secure, but can be a quick win if security isnt the major concern.

HTH.