Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VLAN restriction

How to restrict the intervlan.rigtnow we are all the vlan have to access.so pls give some idea for the same.

2 REPLIES

Re: VLAN restriction

Hi Subash,

One way to restrict is to apply ACL and apply it on the interfaces.

Can you please update how have you configured the inter vlan routing? On layer 3 switch or router on stick model.

If you are using layer 3 switch like 3550 switch you can configure acls so check this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/swacl.htm#wp1171606

If you are using inter vlan routing on cat6k switch you can also use VACL to restrict traffic so check this link out

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/secure.htm#wp1039223

HTH, if yes please rate the post.

Ankur

Bronze

Re: VLAN restriction

Hello,

in addition to Ankur's post, a simple way to restrict access between VLAN's would be configuring access lists as in the sample configuration below:

interface FastEthernet0/0.1

encapsulation dot1q 1 native

ip address 192.168.1.1 255.255.255.0

ip access-group 100 out

!

interface FastEthernet0/0.2

encapsulation dot1q 2

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

!

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

For SVI's (VLAN interfaces) the configuration would look like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip access-group 100 out

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

!

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

Regards,

Nethelper

350
Views
0
Helpful
2
Replies
CreatePlease to create content