Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

best way to block a vlan from accessing other vlans

I have a LAN with 6 vlans and a 2821 router. By default, intervlan routing is enabled for all vlans, however, I want specific vlans to be denied access to others, though all should still be able to use the Internet being served from GE/0.

Sent from Cisco Technical Support iPad App

6 REPLIES
Bronze

best way to block a vlan from accessing other vlans

Use VRFs and route-leaking. Here, probably, it is enough to use static routes with explicit interface statements.

New Member

Re: best way to block a vlan from accessing other vlans

Could you elaborate? I was thinking about using ACLs.

Sent from Cisco Technical Support iPad App

Bronze

Re: best way to block a vlan from accessing other vlans

Oh, sure you may use ACLs.

VRF is a couple of VLANs (roughly) that are allowed to talk to each other. By default router does not route traffic between VRFs. Here you can obtain full isolation.

By default there exists one VRF (Global Routing Table). You may put your G0/0 into it (by default it is already there) and all other ifs and subifs into different VRFs.

Let's take one of VRFs (VRF_A). Here you need to put a command

ip route 0.0.0.0 0.0.0.0 G0/0 or in some cases

ip route 0.0.0.0 0.0.0.0 global

By doing so you allow VRF_A be able to send traffic upstream through G0/0.

Now you need to talk to your ISP about routes in your VRFs. Best way is to aggregate them into one supernet (probably you have already did it).

And last but not the least. You need to allow incoming trafic into VRFs from G0/0. You may also use static routes or you may use PBR - as you wish.

best way to block a vlan from accessing other vlans

Why not use private vlans?  Wonder if they are supported on 2821.

Gold

best way to block a vlan from accessing other vlans

Hi,

you could simply write an ACL, denying the NET IDs you dont want each of ur VLANs have access to and then bind it to the respective VLANs L3 interface.

what switch are u using btw?

plz Rate if it helped.

Soroush.

Hope it Helps!

Soroush.
Bronze

best way to block a vlan from accessing other vlans

Private VLANs are not supported by routers in their own. Only by switches and switching modules.

ACL is a good way when there are not so many VLANs and policies.

721
Views
0
Helpful
6
Replies
CreatePlease to create content