Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
0
Helpful
3
Replies

How to Stop Inter-VLAN communication

Go to solution
himanshudwivedi
Level 1
Level 1

‎12-14-2021 03:42 AM

Hello,

 

I have 1 scenario in which there are 2 Vlans A and B, configured with IP Address, I want to stop communication from Users from A to B but want to allow from B to A. How to achieve it.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-14-2021 03:31 PM

As both @Seb Rupik and @Richard Burts have noted, generally the best solution (for "inside" to "outside" allowed, but not "unexpected" converse) would be to use a FW, because it's stateful.

Two other Cisco features, that could possibly support such a requirement (as they too are stateful) might be usage of reflexive ACLs (see https://learningnetwork.cisco.com/s/article/reflexive-acls) or NAT/PAT.  The former is somewhat a "poor man's" FW.  The latter is usually not thought of in a security context, but can also, more or less, allow inside to outside, yet block much unexpected outside to inside.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎12-14-2021 03:58 AM

Hi there,

Using a ACL is not really an option in the scenario, even including the established keyword to permit return traffic from A to B will only work for TCP. Your best bet is to look at using IOS ZBF or place a dedicated firewall between the two VLANs.

 

cheers,

Seb.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Seb Rupik

‎12-14-2021 10:14 AM

What the original poster asks is challenging. If B should be able to communicate with A then what it means is that A must be able to respond to B but A should not be able to originate traffic to B. The best way to achieve this is to use something that does stateful inspection of the traffic, such as a firewall. ZBF comes close but I believe that the best solution is a firewall.

HTH

Rick
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-14-2021 03:31 PM

As both @Seb Rupik and @Richard Burts have noted, generally the best solution (for "inside" to "outside" allowed, but not "unexpected" converse) would be to use a FW, because it's stateful.

Two other Cisco features, that could possibly support such a requirement (as they too are stateful) might be usage of reflexive ACLs (see https://learningnetwork.cisco.com/s/article/reflexive-acls) or NAT/PAT.  The former is somewhat a "poor man's" FW.  The latter is usually not thought of in a security context, but can also, more or less, allow inside to outside, yet block much unexpected outside to inside.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card