Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to disable routing between vlans for 2 vlans

Hi,

I have a layer 3 switch and i enabled IP routing on it. Now i wish that 2 vlan  don't route between them and the traffic is automatically forwarded to the gateway. Is this possible?

Thanks

Etienne

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions

How to disable routing between vlans for 2 vlans

Sure you can to disable intervlan routing between two vlans.

It is called vlan access-map and follow the example shown below.

interface Vlan1
no ip address
shutdown
!
interface Vlan2

description VLan connected to Firewall for accessing Interent.
ip address 10.10.10.1 255.255.255.252
!
interface Vlan10

description User one
ip address 10.0.10.1 255.255.255.0
!
interface Vlan20

description User two
ip address 10.0.20.1 255.255.255.0
!
interface Vlan30

description Users three
ip address 10.0.30.1 255.255.255.0
!

ip route 0.0.0.0 0.0.0.0 10.10.10.2

ip access-list standard INTERNET

permit any

!

ip access-list extended DENY-INTERNAL

permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

-----------------------------------------------------

vlan access-map RIZ-VLAN-MAP 10

action drop

match ip address DENY-INTERNAL

vlan access-map RIZ-VLAN-MAP 20

action forward

match ip address INTERNET

vlan filter RIZ-VLAN-MAP vlan-list 10-30

-------------------------------------------------------

In this example, only users on three vlan 10,20, & 30 can access only vlan2, which is facing internet bound vlan and no access between each vlans 10, 20 and 30.

Hope this help.

Thanks

Rizwan Rafeek

How to disable routing between vlans for 2 vlans

You can use Policy Based Routing which CAN forcefully send all the traffic coming reaching the vlan interfaces.

Eg:

10.170.10.10 is the Gateway ip

---------------------------------------------------------------------------------------

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 172.16.1.0 0.0.0.255 any

route-map vlan500 permit 10

match ip address 100

set ip next-hop 10.170.10.10

route-map vlan600 permit 10

match ip address 110

set ip next-hop 10.170.10.10

int vlan 500

ip address 192.168.1.1 255.255.255.0

ip policy route-map vlan500

int vlan 600

ip address 172.16.1.1 255.255.255.0

ip policy route-map vlan600

---------------------------------------------------------------------------------------

Hope it helps

Neeraj

11 REPLIES
Bronze

How to disable routing between vlans for 2 vlans

What is the gateway? router?

New Member

How to disable routing between vlans for 2 vlans

Could you elaborate why you would want to do this? What is the specific problem you are trying to solve?

How to disable routing between vlans for 2 vlans

Sure you can to disable intervlan routing between two vlans.

It is called vlan access-map and follow the example shown below.

interface Vlan1
no ip address
shutdown
!
interface Vlan2

description VLan connected to Firewall for accessing Interent.
ip address 10.10.10.1 255.255.255.252
!
interface Vlan10

description User one
ip address 10.0.10.1 255.255.255.0
!
interface Vlan20

description User two
ip address 10.0.20.1 255.255.255.0
!
interface Vlan30

description Users three
ip address 10.0.30.1 255.255.255.0
!

ip route 0.0.0.0 0.0.0.0 10.10.10.2

ip access-list standard INTERNET

permit any

!

ip access-list extended DENY-INTERNAL

permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

-----------------------------------------------------

vlan access-map RIZ-VLAN-MAP 10

action drop

match ip address DENY-INTERNAL

vlan access-map RIZ-VLAN-MAP 20

action forward

match ip address INTERNET

vlan filter RIZ-VLAN-MAP vlan-list 10-30

-------------------------------------------------------

In this example, only users on three vlan 10,20, & 30 can access only vlan2, which is facing internet bound vlan and no access between each vlans 10, 20 and 30.

Hope this help.

Thanks

Rizwan Rafeek

New Member

How to disable routing between vlans for 2 vlans

Thanks for your answer. Then if i need communication between vlans is it possible to route traffic to the gateway then the gateway routes the traffic back to the router. Basically the gateway is an ASA and i would like to control access with a firewall even between vlans. For design issues i can't place the vlan interfaces directly on the ASA.

Thanks

Etienne

How to disable routing between vlans for 2 vlans

Yes you can but this would require additional configuration on the ASA as this would need U-Turning of traffic coming from inside interface back out through the same interface

How to disable routing between vlans for 2 vlans

"control access with a firewall even between vlans."

This will complicate your Firewall configuration, as this will require NAT between interface vlans on the firewall for you control access between vlans.

So, stick with controlling intervlans on the your L3 switch itself.

Thanks

Rizwan Rafeek

How to disable routing between vlans for 2 vlans

"Then if i need communication between vlans is it possible to route traffic to the gateway then the gateway routes the traffic back to the router."

Sure, you can enable back again, when you want to route intervlan traffic between two vlans.

Vlan filters between vlans is applied by this particular command: "vlan filter RIZ-VLAN-MAP vlan-list 10-30"

In this example all three vlans cannot access each other.

However if you want enable traffic between two vlans then remove the particular vlans from the filter, example below.

vlan filter RIZ-VLAN-MAP vlan-list 10

as you can see now, traffic will flow in between vlan20 and vlan30 (i.e. enable intervlans traffic routing), however vlan10 only can access vlan2 which is facing the firewall for internet access only.

Hope that helps.

Thanks

Rizwan Rafeek

Cisco Employee

How to disable routing between vlans for 2 vlans

Imaging you have two layer 3 vlans as below and you need to prevent intervlan routing between them.

You can use ACL's to serve the purpose.

Example-

!

interface Vlan10

ip address 10.0.1.1 255.255.255.0

!

interface Vlan20

ip address 10.0.0.2 255.255.255.0

!

interface Vlan10

ip address 10.0.1.1 255.255.255.0

ip access-group 102 in

end

Current configuration : 83 bytes

!

interface Vlan20

ip address 10.0.0.1 255.255.255.0

ip access-group 101 in

end

CSC#sh access-list 101

Extended IP access list 101

    10 deny ip any 10.0.1.1 0.0.0.255

    20 permit ip any any

CSC#sh access-list 102

Extended IP access list 102

    10 deny ip any 10.0.0.1 0.0.0.255

    20 permit ip any any

How to disable routing between vlans for 2 vlans

You can use Policy Based Routing which CAN forcefully send all the traffic coming reaching the vlan interfaces.

Eg:

10.170.10.10 is the Gateway ip

---------------------------------------------------------------------------------------

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 172.16.1.0 0.0.0.255 any

route-map vlan500 permit 10

match ip address 100

set ip next-hop 10.170.10.10

route-map vlan600 permit 10

match ip address 110

set ip next-hop 10.170.10.10

int vlan 500

ip address 192.168.1.1 255.255.255.0

ip policy route-map vlan500

int vlan 600

ip address 172.16.1.1 255.255.255.0

ip policy route-map vlan600

---------------------------------------------------------------------------------------

Hope it helps

Neeraj

Bronze

How to disable routing between vlans for 2 vlans

I think a simple way would have been to use prunning of vlans and they wont be forwarded across trunks.

Cisco Employee

How to disable routing between vlans for 2 vlans

One more option is to block SVI interfaces for particular VLAns. Also having trunk to an ASA. I that case traffic from one VLAN would just be simply switched to the ASA which you can make your default gateway. And it then will do routing likle a router on a stick.

The other thing is that even with SVI enabled - if host sending packet to default gateway within VLAN which is ASA ip address in that VLAN - then switch will not do inter-Vlan routing but switch traffic to ASA based on its MAC. It is ASA then will do L3 routing based on destination ip and forward packet out in correct destination VLAN. Thus if your all hosts correctly set up with ASA ip as default gateway I don't see any reason for changes.

Nik

32920
Views
4
Helpful
11
Replies