Inter VLan filtering policy

mazhar mahadik · ‎10-26-2010

Hi Experts,

I have a basic question , i m bit confused about below scenario,

1) there are 3 lans A, B, C
2) vlan B & C cannot Access Vlan A

3) but Vlan A should be allowed to access servers in Vlan B & C.

I have to implement this on switch

Thanks in Advance,

Mazhar

Jason Masker · ‎10-26-2010

You would implement this with access lists on your VLAN routing interfaces. For example, say the vlans are 100, 101, 102. You would have routing interfaces to facilitate routing between VLANs that look something like the following:

interface vlan 100

ip address 192.168.0.1 255.255.255.0

interface vlan 101

ip address 192.168.1.1 255.255.255.0

interface vlan 102

ip address 192.168.2.1 255.255.255.0

To add access filtering, simply add an access list like so:

interface vlan 100

ip access-group FILTER in

You would define the FILTER access list to permit the desired subnets and deny the undesirable subnets.

mazhar mahadik · ‎10-26-2010

Thanks Jason,
If i hv understood correct then in this case i ll deny traffic source from 101 & 102 towards vlan 100,
but i want vlan 100 to access 101 and 102 , so in above case return traffic from vlan 101 & 102 towards 100 ll be denied.

my requirement is 101 & 102 should not access 100 , but 100 should access 101 & 102.

java-1234 · ‎10-26-2010

You can use access-list with 'established' keyword.

Alternatively, you can look into reflexive access-list.

http://www.firstdigest.com/2009/03/cisco-how-to-use-reflexive-access-list-and-why-they-are-useful/