Inter-Vlan routing

Unanswered Question
Aug 31st, 2010
User Badges:

I know this is probably a fairly simple solution, but I have limited Cisco XP

What I have setup is about 20 various switches with 2 Vlans. Unfortunately the gateway router

only has a single interface for me to use so I the vlans on subinterface 0/0.1 and 0/0.2 and I am

using the ip-helper to grab DHCP for both vlans from a Windows server.  The trunking and tagging

all seems to be working. Setting access port to Vlan 2 I am grabbing the an address from the

correct DHCP pool.

One subnet is (dont ask, it was here when I got here) and the other is, I need

to make sure these vlans cannot talk to one another.  One is going to be used for a public wireless

and I dont want them to be able to access any resources on our LAN.  Since they are on the same

interface, is there anyway to prevent inter-vlan routing?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Atif Awan Tue, 08/31/2010 - 08:06
User Badges:
  • Cisco Employee,

They are on the same physical interface but different logical interfaces. The simplest option is to use ACLs on the logical interfaces to prevent the two subnets from talking to one another. A better solution will be to separate them into VRFs using VRF Lite feature if available on the router, however, you need to carefully look at whether there are any shared services between the two VRFs.


ebojonell Tue, 08/31/2010 - 08:37
User Badges:

Yeah, VRF would probably be the best way to go, but some of these switches are pretty old, 2960s and 4912s.

I figured ACL would be the way to go, but I dont know how to set those up per se.

Do they ONLY needed to be configured on the router where the VLANS are configured?

Atif Awan Tue, 08/31/2010 - 08:41
User Badges:
  • Cisco Employee,

My understanding is that the switches are being used purely as Layer-2 switches in your environment. If yes then VRF support is not required on the switches as VLANs maintain the required separation. VRF configuration is only required on your gateway router.

ACLs are also required at the Layer-3 interfaces on the routers.

ebojonell Tue, 08/31/2010 - 11:32
User Badges:

Do you have any example ACL for a situation like this? Thanks

Atif Awan Tue, 08/31/2010 - 22:06
User Badges:
  • Cisco Employee,

ACLs in this case will be your standard ACLs you normally use on interfaces. Assuming your sub-interface 0/0.1 is for and 0/0.2 is for, you can use something along the lines of:

ip access-list extended 172-to-89

  deny ip

  permit ip any any


ip access-list extended 89-to-172

  deny ip

  permit ip any any

interface Fa0/0.1
  ip access-group 172-to-89 in
interface Fa0/0.2
  ip access-group 89-to-172 in


This Discussion