07-25-2006 10:21 AM - edited 03-03-2019 04:13 AM
I have a L3 switch with several vlan interfaces. I want to add another vlan interface that is restricted (isolated) from the other vlans. What would be the best way to go about doing this? Should I create an extended ACL and then apply it to the VLAN interface? I believe VACL are intended for intra-vlan situations, is this correct?
Thanks,
Joel
07-25-2006 10:26 AM
to add a VLAN interface and not have it be able to communicate with the other VLAN intefaces, you will need to setup VACLs.
these will allow/deny communication to/from VLANs.
see this link for more info:
07-25-2006 10:59 AM
Hi Joel,
It is my understanding that VACL's are applied to all traffic seen on a given VLAN, wheras "normal" ACL's are applied to the L3 SVI. In other words, they are applied only to traffic leaving or coming to that network via the L3 sub-interface for that VLAN.
VLAN usage implies isolation from other VLANs, so I assume when you say isolation you mean that you want the new VLAN to be able to access other networks (for instance perhaps the internet), though you do not want hosts on any other local VLAN to access it. I would write an ACL for the sub-interface that simply (!) accomodates this: generally, allow all traffic from your special VLAN 'out' but deny traffic from the others 'in'. Hope this helps.
07-25-2006 12:04 PM
Do you really need the Layer 3 interface or by creating the layer 2 VLAN satisfy the goal? Could you tell us what you are trying to accomplish?
Thanks
07-25-2006 12:05 PM
Hello,
here is a configuration example with ACL's to restrict traffic between two VLAN's (this is from a previous post from 'Bosalaza'):
Goal: to restrict traffic between two VLAN's, but from these VLAN's you want no traffic restrictions to e.g. the Internet. You can create an access list preventing traffic from one VLAN, and allowing traffic to the internet. for example:
vlan x - 1.1.1.0/24
vlan y - 1.1.2.0/24
access-list x deny 1.1.1.0 0.0.0.255
access-list x permit any
access-list y deny 1.1.2.0 0.0.0.255
access-list y permit any
interface vlan x
ip address 1.1.1.1 255.255.255.0
ip access-group y out
interface vlan y
ip address 1.1.2.1 255.255.255.0
ip access-group x out
HTH,
GNT
07-25-2006 12:38 PM
How do I know if I should place the action of the Access List to be incoming, or outging on the interface?
Thanks,
Joel
07-25-2006 05:32 PM
For incoming or outgoing, it depends on the usage. e.g. If you want to block the user from remote sites to your office, you have to setup incoming at your locations or you can setup outgoing at the remote sites.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide