Blocking VLAN to VLAN access via ACL's

belser · ‎05-03-2002

Hello,

We have a Catalyst 3550 running VTP with 5 VLANs. We would like to maintain routing on all 5 VLANS such that they all still have internet acces. Two of them we would like to block from the other 3.

For instance:

if VLAN1, 2, and 3 are associated with the subnets 172.18.4.0/24, 172.18.8.0/24, and 172.18.12.0/24 and VLANs 4 and 5 are accociated with 172.18.14.0/24 and 172.18.16.0/24

We would like to block access from VLAN 4 and 5 to everything except the gateway of last resort for internet access. Can I do this with VTP turned on using ACL's? Also how would this be implemented using the above scheme

Thank you for your time,

DF

joaopedro · ‎05-03-2002

I don't know where your problem is but I will try to answer...

You can use ACLs on the subinterfaces.

Suppose the GW of last resort is X.X.X.X. Create the following ACL for VLAN 4:

access-list 100 permit ip 172.18.14.0 0.0.0.255 X.X.X.X 0.0.0.0

and the following for VLAN 5:

access-list 110 permit ip 172.18.16.0 0.0.0.255 X.X.X.X 0.0.0.0

and apply them to the corresponding subinterfaces.

Is that it?

belser · ‎05-03-2002

Basically we have two training VLANs that they don't want to have access to the rest of the network, but still have internet access. VLAN 4 and 5 are the Training VLANs.

So this should follow this criteria?