Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4584
Views
5
Helpful
9
Replies

Prevent Inter-vlan routing

rasoftware
Level 1
Level 1

‎05-21-2006 07:01 AM - edited ‎03-03-2019 12:46 PM

Hi all,

I am using a 3550 for layer 3 routing to allow all VLANs to use a common firewall. Basically VLANs are 10.1.0.0/16, 10.2.0.0/16 and so on and port 172.16.0.0/16 which is in the firewalls subnet. I want all VLANs to be able to access the firewall but no allow the client VLANs to access each other. Do I need to do this with ACLs? I would like the setup as simple as possible.

Labels:
0 Helpful
9 Replies 9

Roberto Salazar
Level 8
Level 8

‎05-21-2006 08:16 AM

Yes, you will need an ACL that will prevent vlan 10.1 from talking to vlan 10.2 and vise versa. It's a simple Access-list, for example:

access-list 1 deny 10.2.0.0 0.0.255.255

access-list 2 deny 10.1.0.0 0.0.255.255

interface vlan 1

ip access-group 2 out >> will prevent any traffic from 10.2.0.0

interface vlan 2

ip access-group 1 out >> will prevent any traffic fomr 10.1.0.0

Please rate helpful post.

0 Helpful

rasoftware
Level 1
Level 1
In response to Roberto Salazar

‎05-21-2006 08:23 AM

hi would this work also?

access-list 101 permit ip any any

access-list 101 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

interface vlan x

access-group 101 out

ie stop and 10.0.0.0 accessing any other?

0 Helpful

Roberto Salazar
Level 8
Level 8
In response to rasoftware

‎05-21-2006 10:47 AM

I do not see any reason why it would not work but have the deny first before the permit.

Please rate helpful posts.

rasoftware
Level 1
Level 1
In response to Roberto Salazar

‎05-22-2006 02:33 AM

access-list 101 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

vlan x

ip access-group 1010 out

This prevents a host in 10.14.0.0/16 pinging a host in 10.15.0.0/16.

However I am still able to ping 10.15.0.1 (vlan15 IP) from 10.14.0.0/16

10.15.0.1 is the IP assigned to the VLAN associated with the interface. These address act as the default gw for the clients. No sure how this is possible.

0 Helpful

mahmoodmkl
Level 7
Level 7
In response to rasoftware

‎05-22-2006 02:58 AM

HI

From where u r trying to ping this IP.r u pigning it from any hosts or from the router itself.

Thanks

mahmood

0 Helpful

rasoftware
Level 1
Level 1
In response to mahmoodmkl

‎05-22-2006 04:57 AM

Hi if I ping from the host I am able to ping the other VLAN GW IPs but not any host in those networks.

0 Helpful

mahmoodmkl
Level 7
Level 7
In response to rasoftware

‎05-22-2006 05:23 AM

Hi

Can u check applying this access-list inbound and verify wearther u r able to ping the G/W address.

Thanks

Mahmood

0 Helpful

rasoftware
Level 1
Level 1
In response to mahmoodmkl

‎05-22-2006 05:39 AM

Hi if I apply in "in" as well as "out" I cannot the ping any VLAN GW.

I can access internet etc ok though via this port.

This is probably ok but it would be nice to ping the local GW from its respective VLAN.

0 Helpful

shakeelahmadch
Level 1
Level 1
In response to rasoftware

‎06-04-2006 05:13 AM

Do you guys think this is feasible solution when a person have more than 20 VLANS and only wants all to communicate with 1 VLAN fully and 19 others doesn't needs to communicated with each other.

Although in my case i have 4506, still i have'nt proceeded as ACL's will put a load on the CPU . Any idea ?

thanks,

Shakeel Ahmad

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card