Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Prevent Inter-vlan routing

Hi all,

I am using a 3550 for layer 3 routing to allow all VLANs to use a common firewall. Basically VLANs are 10.1.0.0/16, 10.2.0.0/16 and so on and port 172.16.0.0/16 which is in the firewalls subnet. I want all VLANs to be able to access the firewall but no allow the client VLANs to access each other. Do I need to do this with ACLs? I would like the setup as simple as possible.

9 REPLIES

Re: Prevent Inter-vlan routing

Yes, you will need an ACL that will prevent vlan 10.1 from talking to vlan 10.2 and vise versa. It's a simple Access-list, for example:

access-list 1 deny 10.2.0.0 0.0.255.255

access-list 2 deny 10.1.0.0 0.0.255.255

interface vlan 1

ip access-group 2 out >> will prevent any traffic from 10.2.0.0

interface vlan 2

ip access-group 1 out >> will prevent any traffic fomr 10.1.0.0

Please rate helpful post.

New Member

Re: Prevent Inter-vlan routing

hi would this work also?

access-list 101 permit ip any any

access-list 101 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

interface vlan x

access-group 101 out

ie stop and 10.0.0.0 accessing any other?

Re: Prevent Inter-vlan routing

I do not see any reason why it would not work but have the deny first before the permit.

Please rate helpful posts.

New Member

Re: Prevent Inter-vlan routing

access-list 101 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

vlan x

ip access-group 1010 out

This prevents a host in 10.14.0.0/16 pinging a host in 10.15.0.0/16.

However I am still able to ping 10.15.0.1 (vlan15 IP) from 10.14.0.0/16

10.15.0.1 is the IP assigned to the VLAN associated with the interface. These address act as the default gw for the clients. No sure how this is possible.

Re: Prevent Inter-vlan routing

HI

From where u r trying to ping this IP.r u pigning it from any hosts or from the router itself.

Thanks

mahmood

New Member

Re: Prevent Inter-vlan routing

Hi if I ping from the host I am able to ping the other VLAN GW IPs but not any host in those networks.

Re: Prevent Inter-vlan routing

Hi

Can u check applying this access-list inbound and verify wearther u r able to ping the G/W address.

Thanks

Mahmood

New Member

Re: Prevent Inter-vlan routing

Hi if I apply in "in" as well as "out" I cannot the ping any VLAN GW.

I can access internet etc ok though via this port.

This is probably ok but it would be nice to ping the local GW from its respective VLAN.

New Member

Re: Prevent Inter-vlan routing

Do you guys think this is feasible solution when a person have more than 20 VLANS and only wants all to communicate with 1 VLAN fully and 19 others doesn't needs to communicated with each other.

Although in my case i have 4506, still i have'nt proceeded as ACL's will put a load on the CPU . Any idea ?

thanks,

Shakeel Ahmad

2642
Views
5
Helpful
9
Replies
CreatePlease to create content