Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL for Vlan

I have about 10 Vlans setup on my Layer 3 switches, I want to setup a special Vlan that has no access to the other vlans and no other vlans have access to it.

Vlans 1-10

Vlan 11 is the Private Vlan I'm talking about.

Can some tell me exactly what the ACL would be for this Vlan 11 would be?

4 REPLIES
Super Bronze

Re: ACL for Vlan

What routes between the 'private' vlan and other devices?

If the devices in the Vlan11 need no access outside the VLAN at all, just delete the VLAN11 interface:

no int vlan 11

If they must have access to some resources, then put an ACL like this on interface vlan 11:

access-list 101 permit ip 10.x.x.x 255.0.0.0 20.x.x.x 255.0.0.0

interf vlan 11

ip access-group 101 in

Where 10.x.x.x 255.0.0.0 represents the IP subnet in use on VLAN 11, and 20.x.x.x represents the IP subnet you want to permit access to. The ACL will have an invisible 'deny all' statement at the end which will block all other traffic.

Hope this helps

Regards

Aaron

Please rate helpful posts

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
New Member

Re: ACL for Vlan

Will it block all traffic ?

Meaning no vlan will access vlan 11 and

vlan 11 will not be able to access all other vlans ?

Blue

Re: ACL for Vlan

what type of switch?

bottom line, the best way to block ALL traffic from one vlan to antother is to not allow routing between the VLANs.

if you have two switches and you want a VLAN created that both switches can use but that cannot communicate with any other VLAN, then all you need to do is to add the VLAN to the vlan database.

(DO NOT ADD A VLAN INTERFACE...as this will now allow routing between that vlan and the others; just add the VLAN to the database)

after you add the VLAN to the database, be sure you have a trunk that supports that VLAN between the switches or at least an etherchannel where its ports belong to the VLAN in question.

last but not least is to add ports to that VLAN. any devices in the ports that belong to this VLAN can talk to each other but not to any devices in any other VLANs....is this clear or confusing?

New Member

Re: ACL for Vlan

I need to create an interface vlan 11 because I will be doing HSRP between 2 layer 3 switches but all I need is for other vlans not to access this vlan and this vlan not to access other vlans.

333
Views
0
Helpful
4
Replies