Re: How to deniad access between VLANs

vvelasco · ‎11-11-2005

Hi, I succesfully setup InterVlan using one catalyst 3500 XL with 2811 Router (with 16 ethernet ports module). I created a lot of VLANs with different IP segment each one, but I want to denied access between certain VLANS.

I have VLAN 103 (Managment) and VLAN 101 (Warehouse), I want that both vlans have access to VLAN 500 (Servers) but no between them.

Any suggestion?

Thanks in Advance

Richard Burts · ‎11-11-2005

Victor

If you have created the VLANs and have configured appropriate routing so that they can communicate with each other and now you want to restrict some access you would need to create some access lists and apply those access lists to the layer 3 interfaces where the routing is being done.

You have not indicated what IP addressing you are using so we can not create exact examples. But assuming that VLAN 101 is using addresses in 172.16.101.0 and that VLAN 103 is using addresses in 172.16.103.0 then the access lists might look something like this:

access-list 101 deny ip 172.16.103.0 0.0.0.255 any

access-list 101 permit ip any any

!

access-list 103 deny ip 172.16.101.0 0.0.0.255 any

access-list 103 permit ip any any

Then on the layer 3 interface for VLAN 101 you would configure:

ip access-group 101 in

and on the layer 3 interface for VLAN 103 you would configure:

ip access-group 103 in

These access lists will not let any traffic sourced from VLAN 103 to get into VLAN 101 and will allow all other traffic. And it will not let any traffic sourced from VLAN 101 to get into VLAN 103 and will allow all other traffic.

HTH

Rick

HTH

Rick