Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Deny VLAN-VLAN Communication using (explicit rule)

Hello All,

I have 4 vlans,Vlan-2 (192.168.2.0/24) Vlan-3 (192.168.3.0/24) Vlan-4 (192.168.4.0/24) and Vlan-5 (192.168.5.0/24).

I'm using a cisco 3750 to do all my layer 3 traffic.

My Network Design:

I have enable the switchport trunk encapsulate dot1q on int fa1/0/2 and created vlan and enable all vlan pass through the interface fa1/0/2,

from fa1/0/2 i connected to L2 Switch and enable trunk on L2 Switch and associated diffrent port with diffrent vlan.

What would be the easiest way to use ACLs to prevet any Vlan to talking to any Vlan ?

Thanks in advance for your help.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Deny VLAN-VLAN Communication using (explicit rule)

You don't say what the LAN server address is but assuming it isn't on one of the 4 vlans -

So from the perspective of vlan 2

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 deny ip 192.168.2.0 0.0.0.255

192.168.4.0 0.0.0.255

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip any any

int vlan 2

ip access-group 101 in

and then you need to repeate the above from the perspective of each of your vlans ie

vlan 3

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

etc....

Jon

6 REPLIES
Hall of Fame Super Gold

Re: Deny VLAN-VLAN Communication using (explicit rule)

There are various methods. One, is disable L3 in the switch, as it seems you don't need it at all.

New Member

Re: Deny VLAN-VLAN Communication using (explicit rule)

Hi Bevilacqua.

what it will do.can you explain me please.

Regards

Kiran Kumar CH

Blue

Re: Deny VLAN-VLAN Communication using (explicit rule)

Kiran:

Disabling L3 switching on your 3750 will kill all inter-vlan routing functions, as well as routing anyhwere else.

If you dont want these vlans to communicate with each other, with whom should they be communicating?

With anyone outside their own vlan?

Victor

New Member

Re: Deny VLAN-VLAN Communication using (explicit rule)

They should only communicae with the DMZ Server,Lan server and Internet thats it

Regards

Kiran Kumar CH

New Member

Re: Deny VLAN-VLAN Communication using (explicit rule)

I would like to use ACL for this because in future i may allow some trafic to pass through the vlan.

What would be the easiest way to use ACLs to prevet any Vlan to talking to any Vlan ?

Hall of Fame Super Blue

Re: Deny VLAN-VLAN Communication using (explicit rule)

You don't say what the LAN server address is but assuming it isn't on one of the 4 vlans -

So from the perspective of vlan 2

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 deny ip 192.168.2.0 0.0.0.255

192.168.4.0 0.0.0.255

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip any any

int vlan 2

ip access-group 101 in

and then you need to repeate the above from the perspective of each of your vlans ie

vlan 3

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

etc....

Jon

942
Views
0
Helpful
6
Replies
CreatePlease to create content