Showing results for 
Search instead for 
Did you mean: 

How to allow and deny access between internal networks


We have a 6807 switch as our core with vlans and ip networks setup internally.  Whenever I add a new vlan/network it gets added to the routing table and route to all of our other internal vlans/networks.  We need to create a new network and vlan that only has access to itself and one other network.  What's the best way to do this?

4 Replies 4

MHM Cisco World

Config acl under SVI, where MLS use SVI to connect different vlan “subnet”.

If you have multiple vlans/subnets in your network and are creating a new vlan/subnet which should communicate with one other vlan but not the other vlans then the simple solution sounds like it would be an access list applied to the vlan interface. But as you look more closely into that solution it gets complex. Do you apply the access list inbound or outbound (or both)? Should the new vlan communicate with external resources (the Internet)? If the access list is inbound then it needs to permit packets whose source address is in the new vlan/subnet and whose destination address is the other internal vlan/subnet, then deny all traffic whose source address is in the new vlan/subnet and whose destination address is any other internal address, and then permit traffic whose source address is in the new vlan/subnet and whose destination is the Internet. Of if the access list is applied outbound then the access list must permit traffic whose source address is the other vlan/subnet, deny all traffic whose source address is any other vlan/subnet of the internal network, and permit traffic whose source address is the Internet.


Another thing to keep in mind is that with the access list solution any time that you make changes in the internal network (especially if adding any new subnets) that you will need to remember to update this access list.


Another solution might be to use vrf (or vrf lite) as a mechanism to separate the new vlan/subnet. But I am not sure that your platform supports this feature.  



Thanks for your reply,
I know it complex but this is the only way to separate the VLAN "SUBNET", 
VRF meaning divide all routing, and it more complex.
if he have multi user and want to be isolate form each other then private VLAN is solution.

Joseph W. Doherty
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Possibly the "best" way would be to use VRF (or VRF-lite), as already suggested by Rick.  I believe the 6807 should support that, but as you didn't describe your other devices, and your logical topology, don't know whether it's available for your whole internal network (where needed).

If you're unfamiliar with this technology, it's somewhat the L3 version of L2 VLANs, in that you have multiple virtual routing domains, which, by default, cannot "see" each other.  (It's possible, though, to allow traffic between the VRF instances by controlled leak routing, or you might permit data transfer, between VRF instances, by passing traffic through some security device "wall" as you might between "real", but different, L3 domains.)

The more common alternative, as also suggested by Rick, and the other poster, would be to control data transfer via ACLs.

Of the two approaches, if you're unfamiliar with VRF, it might seem more complicated, but a basic setup is often pretty simple.  In your case, it might be as simple as, define VRF, drop the two VLANs into it.  Done.  With VRF, by default, you're less likely, I believe, to allow traffic you didn't intend to mix.

Also BTW, with VRFs, as, again by default, the routing domains are isolated, it's possible to "reuse" IP addresses.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: