05-23-2012 04:20 AM - edited 03-07-2019 06:51 AM
I have a LAN with 6 vlans and a 2821 router. By default, intervlan routing is enabled for all vlans, however, I want specific vlans to be denied access to others, though all should still be able to use the Internet being served from GE/0.
Sent from Cisco Technical Support iPad App
05-23-2012 04:23 AM
Use VRFs and route-leaking. Here, probably, it is enough to use static routes with explicit interface statements.
05-23-2012 04:30 AM
Could you elaborate? I was thinking about using ACLs.
Sent from Cisco Technical Support iPad App
05-23-2012 04:44 AM
Oh, sure you may use ACLs.
VRF is a couple of VLANs (roughly) that are allowed to talk to each other. By default router does not route traffic between VRFs. Here you can obtain full isolation.
By default there exists one VRF (Global Routing Table). You may put your G0/0 into it (by default it is already there) and all other ifs and subifs into different VRFs.
Let's take one of VRFs (VRF_A). Here you need to put a command
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
By doing so you allow VRF_A be able to send traffic upstream through G0/0.
Now you need to talk to your ISP about routes in your VRFs. Best way is to aggregate them into one supernet (probably you have already did it).
And last but not the least. You need to allow incoming trafic into VRFs from G0/0. You may also use static routes or you may use PBR - as you wish.
05-23-2012 02:14 PM
Why not use private vlans? Wonder if they are supported on 2821.
05-23-2012 03:25 PM
Hi,
you could simply write an ACL, denying the NET IDs you dont want each of ur VLANs have access to and then bind it to the respective VLANs L3 interface.
what switch are u using btw?
plz Rate if it helped.
Soroush.
05-23-2012 09:14 PM
Private VLANs are not supported by routers in their own. Only by switches and switching modules.
ACL is a good way when there are not so many VLANs and policies.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: