×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

INTER-VLAN Routing

Unanswered Question
Jul 25th, 2006
User Badges:

I have a L3 switch with several vlan interfaces. I want to add another vlan interface that is restricted (isolated) from the other vlans. What would be the best way to go about doing this? Should I create an extended ACL and then apply it to the VLAN interface? I believe VACL are intended for intra-vlan situations, is this correct?


Thanks,


Joel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
lutheran1971 Tue, 07/25/2006 - 10:59
User Badges:

Hi Joel,

It is my understanding that VACL's are applied to all traffic seen on a given VLAN, wheras "normal" ACL's are applied to the L3 SVI. In other words, they are applied only to traffic leaving or coming to that network via the L3 sub-interface for that VLAN.

VLAN usage implies isolation from other VLANs, so I assume when you say isolation you mean that you want the new VLAN to be able to access other networks (for instance perhaps the internet), though you do not want hosts on any other local VLAN to access it. I would write an ACL for the sub-interface that simply (!) accomodates this: generally, allow all traffic from your special VLAN 'out' but deny traffic from the others 'in'. Hope this helps.

thomuff Tue, 07/25/2006 - 12:04
User Badges:

Do you really need the Layer 3 interface or by creating the layer 2 VLAN satisfy the goal? Could you tell us what you are trying to accomplish?


Thanks

globalnettech Tue, 07/25/2006 - 12:05
User Badges:
  • Silver, 250 points or more

Hello,


here is a configuration example with ACL's to restrict traffic between two VLAN's (this is from a previous post from 'Bosalaza'):


Goal: to restrict traffic between two VLAN's, but from these VLAN's you want no traffic restrictions to e.g. the Internet. You can create an access list preventing traffic from one VLAN, and allowing traffic to the internet. for example:


vlan x - 1.1.1.0/24

vlan y - 1.1.2.0/24


access-list x deny 1.1.1.0 0.0.0.255

access-list x permit any

access-list y deny 1.1.2.0 0.0.0.255

access-list y permit any


interface vlan x

ip address 1.1.1.1 255.255.255.0

ip access-group y out


interface vlan y

ip address 1.1.2.1 255.255.255.0

ip access-group x out


HTH,


GNT


joel-metz Tue, 07/25/2006 - 12:38
User Badges:

How do I know if I should place the action of the Access List to be incoming, or outging on the interface?


Thanks,


Joel

jackyoung Tue, 07/25/2006 - 17:32
User Badges:
  • Gold, 750 points or more

For incoming or outgoing, it depends on the usage. e.g. If you want to block the user from remote sites to your office, you have to setup incoming at your locations or you can setup outgoing at the remote sites.


Hope this helps.

Actions

This Discussion