Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

INTER-VLAN Routing

I have a L3 switch with several vlan interfaces. I want to add another vlan interface that is restricted (isolated) from the other vlans. What would be the best way to go about doing this? Should I create an extended ACL and then apply it to the VLAN interface? I believe VACL are intended for intra-vlan situations, is this correct?

Thanks,

Joel

6 REPLIES
Blue

Re: INTER-VLAN Routing

to add a VLAN interface and not have it be able to communicate with the other VLAN intefaces, you will need to setup VACLs.

these will allow/deny communication to/from VLANs.

see this link for more info:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801609f6.html

Community Member

Re: INTER-VLAN Routing

Hi Joel,

It is my understanding that VACL's are applied to all traffic seen on a given VLAN, wheras "normal" ACL's are applied to the L3 SVI. In other words, they are applied only to traffic leaving or coming to that network via the L3 sub-interface for that VLAN.

VLAN usage implies isolation from other VLANs, so I assume when you say isolation you mean that you want the new VLAN to be able to access other networks (for instance perhaps the internet), though you do not want hosts on any other local VLAN to access it. I would write an ACL for the sub-interface that simply (!) accomodates this: generally, allow all traffic from your special VLAN 'out' but deny traffic from the others 'in'. Hope this helps.

Community Member

Re: INTER-VLAN Routing

Do you really need the Layer 3 interface or by creating the layer 2 VLAN satisfy the goal? Could you tell us what you are trying to accomplish?

Thanks

Re: INTER-VLAN Routing

Hello,

here is a configuration example with ACL's to restrict traffic between two VLAN's (this is from a previous post from 'Bosalaza'):

Goal: to restrict traffic between two VLAN's, but from these VLAN's you want no traffic restrictions to e.g. the Internet. You can create an access list preventing traffic from one VLAN, and allowing traffic to the internet. for example:

vlan x - 1.1.1.0/24

vlan y - 1.1.2.0/24

access-list x deny 1.1.1.0 0.0.0.255

access-list x permit any

access-list y deny 1.1.2.0 0.0.0.255

access-list y permit any

interface vlan x

ip address 1.1.1.1 255.255.255.0

ip access-group y out

interface vlan y

ip address 1.1.2.1 255.255.255.0

ip access-group x out

HTH,

GNT

Community Member

Re: INTER-VLAN Routing

How do I know if I should place the action of the Access List to be incoming, or outging on the interface?

Thanks,

Joel

Silver

Re: INTER-VLAN Routing

For incoming or outgoing, it depends on the usage. e.g. If you want to block the user from remote sites to your office, you have to setup incoming at your locations or you can setup outgoing at the remote sites.

Hope this helps.

252
Views
5
Helpful
6
Replies
CreatePlease to create content