01-03-2006 11:50 AM - edited 03-03-2019 01:18 AM
I have a 1801 router and a 2950 switch with 3 VLANs. InterVLAN routing is setup and all 3 VLANs can talk to each other, now what I need to do is stop communication between the first 2 VLANs and the third (i.e. 1 & 2 can talk to each other and 3 can only talk to itself). All 3 VLANs need to be connected to the router for Internet access.
Any help would be appreciated, thanks
Solved! Go to Solution.
01-03-2006 12:21 PM
Hello,
the easiest way to accomplish this would be to apply an access list to the Vlan 1 and 2 interfaces. The configuration would look like this:
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 100 out
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 101 out
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
!
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
This would allow Vlan 1 and 2 to talk to each other, but not Vlan 3 to talk to 1 and 2, effectively isolating Vlan.
I hope I didn´t mess the access list up...can you try and see if this works ? Obviously, the IP addresses used in this example are arbitrary and likely different in your case...
HTH,
GP
01-03-2006 12:33 PM
Georg
I think that you were in a hurry when you typed this:
- you have defined access-list 100 twice when you meant access-list 100 and access-list 101.
- you specify 192.168.3.0 as the source but if the access list is outbound on vlan1 and vlan2 then 192.168.3.0 would be the destination.
I think a more simple solution would be an input list on vlan3 which denies traffic from vlan3 to either vlan1 or vlan2 and allows other traffic (to Internet). Using your example it would be like this:
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 100 in
!
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
HTH
Rick
01-03-2006 12:16 PM
Access List might do the trick.
On the VLAN 1 and VLAN 2 interface apply an extended access list outbound that denies traffic destined to VLAN 3. Or you could apply a standard access list inbound that denies source traffic from VLAN 3.
On the VLAN 3 interface apply an extended access list outbound that denies traffic destined to VLAN 1 and 2. Or apply a standard access list inbound that denies source traffic from VLAN 1 and 2.
HTH,
Ryan
01-03-2006 12:21 PM
Hello,
the easiest way to accomplish this would be to apply an access list to the Vlan 1 and 2 interfaces. The configuration would look like this:
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 100 out
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 101 out
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
!
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
This would allow Vlan 1 and 2 to talk to each other, but not Vlan 3 to talk to 1 and 2, effectively isolating Vlan.
I hope I didn´t mess the access list up...can you try and see if this works ? Obviously, the IP addresses used in this example are arbitrary and likely different in your case...
HTH,
GP
01-03-2006 12:33 PM
Georg
I think that you were in a hurry when you typed this:
- you have defined access-list 100 twice when you meant access-list 100 and access-list 101.
- you specify 192.168.3.0 as the source but if the access list is outbound on vlan1 and vlan2 then 192.168.3.0 would be the destination.
I think a more simple solution would be an input list on vlan3 which denies traffic from vlan3 to either vlan1 or vlan2 and allows other traffic (to Internet). Using your example it would be like this:
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 100 in
!
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
HTH
Rick
01-03-2006 01:43 PM
Thank you both gpauwen and rburts, between both your post I was able to get it working finally, I did mess around with ACL but with no luck and it looks like my problem was in the order I had the IPs in the rule, for example I had an inbound of "access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255" (I was using SDM as it's alot easier and so 1.0 was the source and 3.0 was the destination), when I switch the source and destination around it it worked fine. so now I have and inbound and outbound rules that are the same
inbound:
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip any any
outbound:
access-list sdm_vlan3_out deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list sdm_vlan3_out deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list sdm_vlan3_out permit ip any any
again thanks a lot
Jeff
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: