Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
0
Helpful
6
Replies

best way to block a vlan from accessing other vlans

cktechnology
Level 1
Level 1

‎05-23-2012 04:20 AM - edited ‎03-07-2019 06:51 AM

I have a LAN with 6 vlans and a 2821 router. By default, intervlan routing is enabled for all vlans, however, I want specific vlans to be denied access to others, though all should still be able to use the Internet being served from GE/0.

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
6 Replies 6

Sergey Fer
Level 1
Level 1

‎05-23-2012 04:23 AM

Use VRFs and route-leaking. Here, probably, it is enough to use static routes with explicit interface statements.

0 Helpful

cktechnology
Level 1
Level 1
In response to Sergey Fer

‎05-23-2012 04:30 AM

Could you elaborate? I was thinking about using ACLs.

Sent from Cisco Technical Support iPad App

0 Helpful

Sergey Fer
Level 1
Level 1
In response to cktechnology

‎05-23-2012 04:44 AM

Oh, sure you may use ACLs.

VRF is a couple of VLANs (roughly) that are allowed to talk to each other. By default router does not route traffic between VRFs. Here you can obtain full isolation.

By default there exists one VRF (Global Routing Table). You may put your G0/0 into it (by default it is already there) and all other ifs and subifs into different VRFs.

Let's take one of VRFs (VRF_A). Here you need to put a command

ip route 0.0.0.0 0.0.0.0 G0/0 or in some cases

ip route 0.0.0.0 0.0.0.0 global

By doing so you allow VRF_A be able to send traffic upstream through G0/0.

Now you need to talk to your ISP about routes in your VRFs. Best way is to aggregate them into one supernet (probably you have already did it).

And last but not the least. You need to allow incoming trafic into VRFs from G0/0. You may also use static routes or you may use PBR - as you wish.

0 Helpful

jimmysands73_2
Level 5
Level 5
In response to Sergey Fer

‎05-23-2012 02:14 PM

Why not use private vlans?  Wonder if they are supported on 2821.

0 Helpful

smehrnia
Level 7
Level 7

‎05-23-2012 03:25 PM

Hi,

you could simply write an ACL, denying the NET IDs you dont want each of ur VLANs have access to and then bind it to the respective VLANs L3 interface.

what switch are u using btw?

plz Rate if it helped.

Soroush.

Hope it Helps!

Soroush.
0 Helpful

Sergey Fer
Level 1
Level 1
In response to smehrnia

‎05-23-2012 09:14 PM

Private VLANs are not supported by routers in their own. Only by switches and switching modules.

ACL is a good way when there are not so many VLANs and policies.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card