Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

InterVLAN routing help

I have a 1801 router and a 2950 switch with 3 VLANs. InterVLAN routing is setup and all 3 VLANs can talk to each other, now what I need to do is stop communication between the first 2 VLANs and the third (i.e. 1 & 2 can talk to each other and 3 can only talk to itself). All 3 VLANs need to be connected to the router for Internet access.

Any help would be appreciated, thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Re: InterVLAN routing help

Hello,

the easiest way to accomplish this would be to apply an access list to the Vlan 1 and 2 interfaces. The configuration would look like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip access-group 100 out

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

!

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

This would allow Vlan 1 and 2 to talk to each other, but not Vlan 3 to talk to 1 and 2, effectively isolating Vlan.

I hope I didn´t mess the access list up...can you try and see if this works ? Obviously, the IP addresses used in this example are arbitrary and likely different in your case...

HTH,

GP

Hall of Fame Super Gold

Re: InterVLAN routing help

Georg

I think that you were in a hurry when you typed this:

- you have defined access-list 100 twice when you meant access-list 100 and access-list 101.

- you specify 192.168.3.0 as the source but if the access list is outbound on vlan1 and vlan2 then 192.168.3.0 would be the destination.

I think a more simple solution would be an input list on vlan3 which denies traffic from vlan3 to either vlan1 or vlan2 and allows other traffic (to Internet). Using your example it would be like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip access-group 100 in

!

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

HTH

Rick

4 REPLIES
Bronze

Re: InterVLAN routing help

Access List might do the trick.

http://www.cisco.com/en/US/products/ps5853/products_configuration_guide_chapter09186a0080458321.html#wp1119321

On the VLAN 1 and VLAN 2 interface apply an extended access list outbound that denies traffic destined to VLAN 3. Or you could apply a standard access list inbound that denies source traffic from VLAN 3.

On the VLAN 3 interface apply an extended access list outbound that denies traffic destined to VLAN 1 and 2. Or apply a standard access list inbound that denies source traffic from VLAN 1 and 2.

HTH,

Ryan

VIP Purple

Re: InterVLAN routing help

Hello,

the easiest way to accomplish this would be to apply an access list to the Vlan 1 and 2 interfaces. The configuration would look like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip access-group 100 out

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

!

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

This would allow Vlan 1 and 2 to talk to each other, but not Vlan 3 to talk to 1 and 2, effectively isolating Vlan.

I hope I didn´t mess the access list up...can you try and see if this works ? Obviously, the IP addresses used in this example are arbitrary and likely different in your case...

HTH,

GP

Hall of Fame Super Gold

Re: InterVLAN routing help

Georg

I think that you were in a hurry when you typed this:

- you have defined access-list 100 twice when you meant access-list 100 and access-list 101.

- you specify 192.168.3.0 as the source but if the access list is outbound on vlan1 and vlan2 then 192.168.3.0 would be the destination.

I think a more simple solution would be an input list on vlan3 which denies traffic from vlan3 to either vlan1 or vlan2 and allows other traffic (to Internet). Using your example it would be like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip access-group 100 in

!

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

HTH

Rick

New Member

Re: InterVLAN routing help

Thank you both gpauwen and rburts, between both your post I was able to get it working finally, I did mess around with ACL but with no luck and it looks like my problem was in the order I had the IPs in the rule, for example I had an inbound of "access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255" (I was using SDM as it's alot easier and so 1.0 was the source and 3.0 was the destination), when I switch the source and destination around it it worked fine. so now I have and inbound and outbound rules that are the same

inbound:

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip any any

outbound:

access-list sdm_vlan3_out deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list sdm_vlan3_out deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list sdm_vlan3_out permit ip any any

again thanks a lot

Jeff

108
Views
0
Helpful
4
Replies
CreatePlease to create content