Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1424
Views
3
Helpful
15
Replies

ACL to prevent InterVLAN Routing and enable access to Internet

Go to solution
Ranjita
Level 1
Level 1

‎09-27-2023 02:16 AM - last edited on ‎10-25-2023 04:33 AM by Community Manager

Hi All,

I have multiple VLANs and OSPF running on a L3 Switch. I want to prevent VLAN's 1,2 and 3 communicating with each other but each of the VLAN's should reach an external network via OSPF.

I tried configuring an ACL to prevent inter-VLAN routing but in that case my connection to the external network is also lost.

ip access-list extended AAA

deny ip any <SVI of VLAN B>

permit ip any any

exi

int vlan A

ip access-group AAA in

exi

I have tried to block just one VLAN for now but not successful.

Could anyone please help me with it?

 

0 Helpful
15 Replies 15

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎09-28-2023 07:56 AM - last edited on ‎10-25-2023 04:12 AM by Community Manager

@Joseph W. Doherty wrote:
@MHM Cisco World wrote:

Acl apply to SVI can  not filter traffic toward SVI İp but it can filter traffic bypass SVI. 

Oh?  Hmm, I didn't know that.  I'll set up a lab to confirm that.

(PT) Lab results:

I was able, on a SVI (in PT) block ingress echo requests, while allowing echo request to transit the interface.  So, it appears you CAN filter traffic to the SVI IP, itself.

JosephWDoherty_0-1695912469231.png

switch#sh cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Switch Gig 1/0/1 144 3650 Gig 1/0/1

Relevant L3 switch config snippets:

Switch0:

ip routing

interface Loopback0
ip address 192.168.2.1 255.255.255.255

interface GigabitEthernet1/0/1

interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group test in

ip access-list extended test
deny icmp any host 192.168.1.1 echo
permit ip any any

Switch1:

ip routing

interface GigabitEthernet1/0/1
no switchport
ip address 192.168.1.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Pinging Switch0's SVI IP from Switch1:

Switch#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

Pinging Switch0's Loopback0 IP from Switch1:

Switch#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card