cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1140
Views
0
Helpful
3
Replies

How to Stop Inter-VLAN communication

himanshudwivedi
Level 1
Level 1

Hello,

 

I have 1 scenario in which there are 2 Vlans A and B, configured with IP Address, I want to stop communication from Users from A to B but want to allow from B to A. How to achieve it.

1 Accepted Solution

Accepted Solutions

Joseph W. Doherty
Hall of Fame
Hall of Fame

As both @Seb Rupik and @Richard Burts have noted, generally the best solution (for "inside" to "outside" allowed, but not "unexpected" converse) would be to use a FW, because it's stateful.

Two other Cisco features, that could possibly support such a requirement (as they too are stateful) might be usage of reflexive ACLs (see https://learningnetwork.cisco.com/s/article/reflexive-acls) or NAT/PAT.  The former is somewhat a "poor man's" FW.  The latter is usually not thought of in a security context, but can also, more or less, allow inside to outside, yet block much unexpected outside to inside.

View solution in original post

3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Using a ACL is not really an option in the scenario, even including the established keyword to permit return traffic from A to B will only work for TCP. Your best bet is to look at using IOS ZBF or place a dedicated firewall between the two VLANs.

 

cheers,

Seb.

What the original poster asks is challenging. If B should be able to communicate with A then what it means is that A must be able to respond to B but A should not be able to originate traffic to B. The best way to achieve this is to use something that does stateful inspection of the traffic, such as a firewall. ZBF comes close but I believe that the best solution is a firewall.

HTH

Rick

Joseph W. Doherty
Hall of Fame
Hall of Fame

As both @Seb Rupik and @Richard Burts have noted, generally the best solution (for "inside" to "outside" allowed, but not "unexpected" converse) would be to use a FW, because it's stateful.

Two other Cisco features, that could possibly support such a requirement (as they too are stateful) might be usage of reflexive ACLs (see https://learningnetwork.cisco.com/s/article/reflexive-acls) or NAT/PAT.  The former is somewhat a "poor man's" FW.  The latter is usually not thought of in a security context, but can also, more or less, allow inside to outside, yet block much unexpected outside to inside.