Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2394
Views
0
Helpful
5
Replies

Vlan blocking

pcromwell
Level 3
Level 3

‎05-03-2017 10:37 PM - edited ‎03-05-2019 08:27 AM

I have 5 vlans on a l3 switch e.g vlan 1-5. running hosts as a multi tenenancy. I want to let vlan 1 access all the hosts on all the vlan but I do not want vlans 2,3 4,and 5  to be able to acces any hosts excpept on their own vlan. I have looked at ACLs and Private vlans but am not sure how to go about it. VRFs seem to be more than what I need. can anyone suggest a simple config?

Labels:
0 Helpful
5 Replies 5

Manish Gogna
Cisco Employee
Cisco Employee

‎05-04-2017 12:00 AM

Hi,

Here are a couple of posts with similar queries that you can refer

https://supportforums.cisco.com/discussion/11586626/block-traffic-under-two-vlans-unidirectional-or-bidirectional

https://supportforums.cisco.com/discussion/11778006/preventing-inter-vlan-routing

HTH

Manish

0 Helpful

Georg Pauwen
VIP
VIP

‎05-04-2017 12:51 AM

Hello,

you could use VACLs. Let's say you have five Vlans:

Vlan 10/192.168.10.0/24

Vlan 20/192.168.20.0/24

Vlan 30/192.168.30.0/24

Vlan 40/192.168.40.0/24

Vlan 50/192.168.50.0/24

The below config would allow all Vlans to access Vlan 10, but allow all the other Vlans only to be access by hosts from within that Vlan. I hope I didn't make any typos, but you get the idea:

ip access-list extended VLAN10_TO_ALL
 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

vlan access-map VLAN10_MAP
 match ip address VLAN10_TO_ALL
  action forward

vlan filter VLAN1_MAP vlan-list 10

ip access-list extended VLAN20_TO_SELF
 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

vlan access-map VLAN20_MAP
 match ip address VLAN20_TO_SELF
  action forward

vlan filter VLAN20_MAP vlan-list 20

ip access-list extended VLAN30_TO_SELF
 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

vlan access-map VLAN30_MAP
 match ip address VLAN30_TO_SELF
  action forward

vlan filter VLAN30_MAP vlan-list 30

ip access-list extended VLAN40_TO_SELF
 permit ip 192.168.40.0 0.0.0.255 192.168.40.0 0.0.0.255

vlan access-map VLAN40_MAP
 match ip address VLAN40_TO_SELF
  action forward

vlan filter VLAN40_MAP vlan-list 40

ip access-list extended VLAN50_TO_SELF
 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255

vlan access-map VLAN50_MAP
 match ip address VLAN50_TO_SELF
  action forward

vlan filter VLAN50_MAP vlan-list 50

0 Helpful

paul driver
VIP
VIP
In response to Georg Pauwen

‎05-04-2017 01:41 AM

Hello Georg

VLAN10_TO_ALL -> Wouldnt this allow communication to and from other vlans, not just orignating from vlan 10


res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP
In response to paul driver

‎05-04-2017 04:10 AM

I forgot one line in that access list, without which hosts in Vlan 10 wouldn't be able to talk to each other:

ip access-list extended VLAN10_TO_ALL
 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 
 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 
 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

Either way, the idea is that the implicit deny at the end of the VACL would not allow anything other than what is specified...

0 Helpful

paul driver
VIP
VIP

‎05-04-2017 04:41 AM

Hello

Edited- apologies misread OP - as it states no communcation for the other vlans also!

Example below will allow vlan 1 to establish commincation to the other vlans but not for traffic from the other vlans initiated towards vlan 1
Vlan 2 wont allow any communiation between vlan 3,4,5 and just established tcp and icmp replys for vlan 1

ip access-list extended vlan1
permit tcp 2.2.2.0 0.0.0.255 any established
permit tcp 3.3.3.0 0.0.0.255 any established
permit tcp 4.4.4.0 0.0.0.255 any established
permit tcp 5.5.5.0 0.0.0.255 any established
deny ip 2.2.2.0 0.0.0.255 any
deny ip 3.3.3.0 0.0.0.255 any 
deny ip 4.4.4.0 0.0.0.255 any
deny ip 5.5.5.0 0.0.0.255 any
permit ip any any

int vlan 1
Ip access-group vlan1 out


ip access-list extended vlan2
deny   icmp 3.3.3.0 0.0.0.255 any
deny   icmp 4.4.4.0 0.0.0.255 any
deny   icmp 5.5.5.0 0.0.0.255 any
deny   ip 3.3.3.0 0.0.0.255 any
deny   ip 4.4.4.0 0.0.0.255 any
deny   ip 5.5.5.0 0.0.0.255 any
permit ip any any


int vlan2
Ip access-group vlan2 out

etc........

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents