cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2392
Views
0
Helpful
5
Replies

Vlan blocking

pcromwell
Level 3
Level 3

I have 5 vlans on a l3 switch e.g vlan 1-5. running hosts as a multi tenenancy. I want to let vlan 1 access all the hosts on all the vlan but I do not want vlans 2,3 4,and 5  to be able to acces any hosts excpept on their own vlan. I have looked at ACLs and Private vlans but am not sure how to go about it. VRFs seem to be more than what I need. can anyone suggest a simple config?

5 Replies 5

Manish Gogna
Cisco Employee
Cisco Employee

Hi,

Here are a couple of posts with similar queries that you can refer

https://supportforums.cisco.com/discussion/11586626/block-traffic-under-two-vlans-unidirectional-or-bidirectional

https://supportforums.cisco.com/discussion/11778006/preventing-inter-vlan-routing

HTH

Manish

Hello,

you could use VACLs. Let's say you have five Vlans:

Vlan 10/192.168.10.0/24

Vlan 20/192.168.20.0/24

Vlan 30/192.168.30.0/24

Vlan 40/192.168.40.0/24

Vlan 50/192.168.50.0/24

The below config would allow all Vlans to access Vlan 10, but allow all the other Vlans only to be access by hosts from within that Vlan. I hope I didn't make any typos, but you get the idea:

ip access-list extended VLAN10_TO_ALL
 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

vlan access-map VLAN10_MAP
 match ip address VLAN10_TO_ALL
  action forward

vlan filter VLAN1_MAP vlan-list 10

ip access-list extended VLAN20_TO_SELF
 permit ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

vlan access-map VLAN20_MAP
 match ip address VLAN20_TO_SELF
  action forward

vlan filter VLAN20_MAP vlan-list 20

ip access-list extended VLAN30_TO_SELF
 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

vlan access-map VLAN30_MAP
 match ip address VLAN30_TO_SELF
  action forward

vlan filter VLAN30_MAP vlan-list 30

ip access-list extended VLAN40_TO_SELF
 permit ip 192.168.40.0 0.0.0.255 192.168.40.0 0.0.0.255

vlan access-map VLAN40_MAP
 match ip address VLAN40_TO_SELF
  action forward

vlan filter VLAN40_MAP vlan-list 40

ip access-list extended VLAN50_TO_SELF
 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255

vlan access-map VLAN50_MAP
 match ip address VLAN50_TO_SELF
  action forward

vlan filter VLAN50_MAP vlan-list 50

Hello Georg

VLAN10_TO_ALL -> Wouldnt this allow communication to and from other vlans, not just orignating from vlan 10


res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I forgot one line in that access list, without which hosts in Vlan 10 wouldn't be able to talk to each other:

ip access-list extended VLAN10_TO_ALL
 permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 
 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 
 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

Either way, the idea is that the implicit deny at the end of the VACL would not allow anything other than what is specified...

Hello

Edited- apologies misread OP - as it states no communcation for the other vlans also!

Example below will allow vlan 1 to establish commincation to the other vlans but not for traffic from the other vlans initiated towards vlan 1
Vlan 2 wont allow any communiation between vlan 3,4,5 and just established tcp and icmp replys for vlan 1

ip access-list extended vlan1
permit tcp 2.2.2.0 0.0.0.255 any established
permit tcp 3.3.3.0 0.0.0.255 any established
permit tcp 4.4.4.0 0.0.0.255 any established
permit tcp 5.5.5.0 0.0.0.255 any established
deny ip 2.2.2.0 0.0.0.255 any
deny ip 3.3.3.0 0.0.0.255 any 
deny ip 4.4.4.0 0.0.0.255 any
deny ip 5.5.5.0 0.0.0.255 any
permit ip any any

int vlan 1
Ip access-group vlan1 out


ip access-list extended vlan2
deny   icmp 3.3.3.0 0.0.0.255 any
deny   icmp 4.4.4.0 0.0.0.255 any
deny   icmp 5.5.5.0 0.0.0.255 any
deny   ip 3.3.3.0 0.0.0.255 any
deny   ip 4.4.4.0 0.0.0.255 any
deny   ip 5.5.5.0 0.0.0.255 any
permit ip any any


int vlan2
Ip access-group vlan2 out

etc........

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul