cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
0
Helpful
4
Replies

InterVLAN routing help

jmuise1018
Level 1
Level 1

I have a 1801 router and a 2950 switch with 3 VLANs. InterVLAN routing is setup and all 3 VLANs can talk to each other, now what I need to do is stop communication between the first 2 VLANs and the third (i.e. 1 & 2 can talk to each other and 3 can only talk to itself). All 3 VLANs need to be connected to the router for Internet access.

Any help would be appreciated, thanks

2 Accepted Solutions

Accepted Solutions

Hello,

the easiest way to accomplish this would be to apply an access list to the Vlan 1 and 2 interfaces. The configuration would look like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip access-group 100 out

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

!

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

This would allow Vlan 1 and 2 to talk to each other, but not Vlan 3 to talk to 1 and 2, effectively isolating Vlan.

I hope I didn´t mess the access list up...can you try and see if this works ? Obviously, the IP addresses used in this example are arbitrary and likely different in your case...

HTH,

GP

View solution in original post

Georg

I think that you were in a hurry when you typed this:

- you have defined access-list 100 twice when you meant access-list 100 and access-list 101.

- you specify 192.168.3.0 as the source but if the access list is outbound on vlan1 and vlan2 then 192.168.3.0 would be the destination.

I think a more simple solution would be an input list on vlan3 which denies traffic from vlan3 to either vlan1 or vlan2 and allows other traffic (to Internet). Using your example it would be like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip access-group 100 in

!

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

dnewell24
Level 1
Level 1

Access List might do the trick.

http://www.cisco.com/en/US/products/ps5853/products_configuration_guide_chapter09186a0080458321.html#wp1119321

On the VLAN 1 and VLAN 2 interface apply an extended access list outbound that denies traffic destined to VLAN 3. Or you could apply a standard access list inbound that denies source traffic from VLAN 3.

On the VLAN 3 interface apply an extended access list outbound that denies traffic destined to VLAN 1 and 2. Or apply a standard access list inbound that denies source traffic from VLAN 1 and 2.

HTH,

Ryan

Hello,

the easiest way to accomplish this would be to apply an access list to the Vlan 1 and 2 interfaces. The configuration would look like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip access-group 100 out

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

!

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

This would allow Vlan 1 and 2 to talk to each other, but not Vlan 3 to talk to 1 and 2, effectively isolating Vlan.

I hope I didn´t mess the access list up...can you try and see if this works ? Obviously, the IP addresses used in this example are arbitrary and likely different in your case...

HTH,

GP

Georg

I think that you were in a hurry when you typed this:

- you have defined access-list 100 twice when you meant access-list 100 and access-list 101.

- you specify 192.168.3.0 as the source but if the access list is outbound on vlan1 and vlan2 then 192.168.3.0 would be the destination.

I think a more simple solution would be an input list on vlan3 which denies traffic from vlan3 to either vlan1 or vlan2 and allows other traffic (to Internet). Using your example it would be like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip access-group 100 in

!

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

HTH

Rick

HTH

Rick

Thank you both gpauwen and rburts, between both your post I was able to get it working finally, I did mess around with ACL but with no luck and it looks like my problem was in the order I had the IPs in the rule, for example I had an inbound of "access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255" (I was using SDM as it's alot easier and so 1.0 was the source and 3.0 was the destination), when I switch the source and destination around it it worked fine. so now I have and inbound and outbound rules that are the same

inbound:

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip any any

outbound:

access-list sdm_vlan3_out deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list sdm_vlan3_out deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list sdm_vlan3_out permit ip any any

again thanks a lot

Jeff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: