Inter-Vlan routing

Unanswered Question
Aug 31st, 2010

I know this is probably a fairly simple solution, but I have limited Cisco XP

What I have setup is about 20 various switches with 2 Vlans. Unfortunately the gateway router

only has a single interface for me to use so I the vlans on subinterface 0/0.1 and 0/0.2 and I am

using the ip-helper to grab DHCP for both vlans from a Windows server.  The trunking and tagging

all seems to be working. Setting access port to Vlan 2 I am grabbing the an address from the

correct DHCP pool.

One subnet is 89.0.0.0 (dont ask, it was here when I got here) and the other is 172.16.0.0, I need

to make sure these vlans cannot talk to one another.  One is going to be used for a public wireless

and I dont want them to be able to access any resources on our LAN.  Since they are on the same

interface, is there anyway to prevent inter-vlan routing?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Atif Awan Tue, 08/31/2010 - 08:06

They are on the same physical interface but different logical interfaces. The simplest option is to use ACLs on the logical interfaces to prevent the two subnets from talking to one another. A better solution will be to separate them into VRFs using VRF Lite feature if available on the router, however, you need to carefully look at whether there are any shared services between the two VRFs.

Atif

ebojonell Tue, 08/31/2010 - 08:37

Yeah, VRF would probably be the best way to go, but some of these switches are pretty old, 2960s and 4912s.

I figured ACL would be the way to go, but I dont know how to set those up per se.

Do they ONLY needed to be configured on the router where the VLANS are configured?

Atif Awan Tue, 08/31/2010 - 08:41

My understanding is that the switches are being used purely as Layer-2 switches in your environment. If yes then VRF support is not required on the switches as VLANs maintain the required separation. VRF configuration is only required on your gateway router.

ACLs are also required at the Layer-3 interfaces on the routers.

ebojonell Tue, 08/31/2010 - 11:32

Do you have any example ACL for a situation like this? Thanks

Atif Awan Tue, 08/31/2010 - 22:06

ACLs in this case will be your standard ACLs you normally use on interfaces. Assuming your sub-interface 0/0.1 is for 172.16.0.0 and 0/0.2 is for 89.0.0.0, you can use something along the lines of:

ip access-list extended 172-to-89

  deny ip 172.16.0.0 0.0.255.255 89.0.0.0 0.255.255.255

  permit ip any any

!

ip access-list extended 89-to-172

  deny ip 89.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

  permit ip any any

!
interface Fa0/0.1
  ip access-group 172-to-89 in
!
interface Fa0/0.2
  ip access-group 89-to-172 in
Atif

Actions

This Discussion