cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1175
Views
5
Helpful
6
Replies

Advanced Cisco Switch L3 InterVlan Routing

mudasserilyas
Level 1
Level 1

Hello guys, 

I would like to know a scenario for the inter-vlan routing. As we know that switch can perform the L3 routing between the vlan which eliminates the need to router-on-stick etc. I have a scenario for a customer to perform routing between 3 vlans. We have 3 vlans tagged as VLAN5, VLAN10, VLAN20.

We want the below routing, if its possible. 

VLAN5   <--yes--> VLAN10
VLAN10 <--yes--> VLAN20

VLAN5 <--no-->  VLAN20


I hope you get it. We want routing between vlan 5 to 10, 10 to 20 but we don't want the routing between vlan 5 to 20. Can this be achieved by the Switch L3 routing?

 

Appreciate your support/cooperation.

1 Accepted Solution

Accepted Solutions

Hello,

 

thinking about it again, in order for Vlan 5 not to be able to communicate with Vlan 20 (but vice versa) and be allowed to talk to anyone else, you need the following access list on your Vlan 5 interface:

 

ip access-list extended 100
permit tcp 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255 established
deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255
100 permit ip any any

 

interface Vlan5

ip access-group 100 in

 

However, that blocks only TCP traffic. If that is sufficient, fine. If not, you need to configure CBAC or ZBF (Zone Based Firewall).

View solution in original post

6 Replies 6

Hi

Actually there is not way to specify once IP routing is enabled but you can filter the communication using ACL or VACL.

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hello,

 

basically, you just create your three SVIs, and then apply access lists:

 

interface Vlan5
ip address 192.168.5.1 255.255.255.0

 

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in

 

interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group 102 in

 

access-list 101 deny ip 192.168.10 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny ip 192.168.20 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip any any

 

access-list 102 deny ip 192.168.20 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip 192.168.10 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip any any

 

What about Vlan 5 access to Vlan 10 and Vlan 20 ? Should that be allowed or denied ?

 

Hi George,
Thanks. That looks quite helpful.

We want 5 to 10 to be allowed. Only 5 shouldn't have access to 20...
Means 5 to 20 not allowed.
20 to 5 allowed...

let me make more clear.
5 to 10 allowed.
10 to 5 allowed.
5 to 20 not allowed.
10 to 20 allowed.
20 to 10 allowed.
20 to 5 allowed.

Thanks again for your response.

Hello,

 

add the below to your configuration:

 

interface Vlan5
ip address 192.168.5.1 255.255.255.0

ip access-group 103 in

 

access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 103 permit ip any any

Hello,

 

thinking about it again, in order for Vlan 5 not to be able to communicate with Vlan 20 (but vice versa) and be allowed to talk to anyone else, you need the following access list on your Vlan 5 interface:

 

ip access-list extended 100
permit tcp 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255 established
deny ip 192.168.5.0 0.0.0.255 192.168.20.0 0.0.0.255
100 permit ip any any

 

interface Vlan5

ip access-group 100 in

 

However, that blocks only TCP traffic. If that is sufficient, fine. If not, you need to configure CBAC or ZBF (Zone Based Firewall).

Thanks a lot.
I got the idea and can modify accordingly if any changes needed.
Review Cisco Networking for a $25 gift card