Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
5
Helpful
6
Replies

INTER-VLAN Routing

joel-metz
Level 1
Level 1

‎07-25-2006 10:21 AM - edited ‎03-03-2019 04:13 AM

I have a L3 switch with several vlan interfaces. I want to add another vlan interface that is restricted (isolated) from the other vlans. What would be the best way to go about doing this? Should I create an extended ACL and then apply it to the VLAN interface? I believe VACL are intended for intra-vlan situations, is this correct?

Thanks,

Joel

Labels:
0 Helpful
6 Replies 6

gpulos
Level 8
Level 8

‎07-25-2006 10:26 AM

to add a VLAN interface and not have it be able to communicate with the other VLAN intefaces, you will need to setup VACLs.

these will allow/deny communication to/from VLANs.

see this link for more info:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801609f6.html

0 Helpful

lutheran1971
Level 1
Level 1

‎07-25-2006 10:59 AM

Hi Joel,

It is my understanding that VACL's are applied to all traffic seen on a given VLAN, wheras "normal" ACL's are applied to the L3 SVI. In other words, they are applied only to traffic leaving or coming to that network via the L3 sub-interface for that VLAN.

VLAN usage implies isolation from other VLANs, so I assume when you say isolation you mean that you want the new VLAN to be able to access other networks (for instance perhaps the internet), though you do not want hosts on any other local VLAN to access it. I would write an ACL for the sub-interface that simply (!) accomodates this: generally, allow all traffic from your special VLAN 'out' but deny traffic from the others 'in'. Hope this helps.

thomuff
Level 3
Level 3
In response to lutheran1971

‎07-25-2006 12:04 PM

Do you really need the Layer 3 interface or by creating the layer 2 VLAN satisfy the goal? Could you tell us what you are trying to accomplish?

Thanks

0 Helpful

globalnettech
Level 5
Level 5
In response to lutheran1971

‎07-25-2006 12:05 PM

Hello,

here is a configuration example with ACL's to restrict traffic between two VLAN's (this is from a previous post from 'Bosalaza'):

Goal: to restrict traffic between two VLAN's, but from these VLAN's you want no traffic restrictions to e.g. the Internet. You can create an access list preventing traffic from one VLAN, and allowing traffic to the internet. for example:

vlan x - 1.1.1.0/24

vlan y - 1.1.2.0/24

access-list x deny 1.1.1.0 0.0.0.255

access-list x permit any

access-list y deny 1.1.2.0 0.0.0.255

access-list y permit any

interface vlan x

ip address 1.1.1.1 255.255.255.0

ip access-group y out

interface vlan y

ip address 1.1.2.1 255.255.255.0

ip access-group x out

HTH,

GNT

0 Helpful

joel-metz
Level 1
Level 1
In response to globalnettech

‎07-25-2006 12:38 PM

How do I know if I should place the action of the Access List to be incoming, or outging on the interface?

Thanks,

Joel

0 Helpful

jackyoung
Level 6
Level 6
In response to joel-metz

‎07-25-2006 05:32 PM

For incoming or outgoing, it depends on the usage. e.g. If you want to block the user from remote sites to your office, you have to setup incoming at your locations or you can setup outgoing at the remote sites.

Hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents