VLAN Routing

DommeDE · ‎04-23-2020

We have 4 VLANs. The first VLAN has to be connected with all three others. VLAN 2, 3 and 4 have to communicate with the first but not with each other. Is this possible with a layer 3 switch? And how?

omz · ‎04-23-2020

private vlans?

https://networklessons.com/switching/private-vlan-pvlan-cisco-catalyst-switch

Giuseppe Larosa · ‎04-23-2020

Hello @DommeDE ,

yes it is possible by using extended IP ACLs applied to the SVI interfaces of the multilayer switch.

Remember of the implicit deny any in the ACL if you need to allow access to/from the internet.

Hope to help

Giuseppe

paul driver · ‎04-23-2020

Hello
As stated @Giuseppe Larosa you can achieve this via RACL applied to the SVI interface of vlan 2, 3, 4

Example:
ip access-list extended vlan2
deny ip any 3.3.3.0 0.0.0.255
deny ip any 4.4.4.0 0.0.0.255
permit ip any any

int vlan 2
ip access-group vlan2 in

ip access-list extended vlan3
deny ip any 2.2.2.0 0.0.0.255
deny ip any 4.4.4.0 0.0.0.255
permit ip any any

int vlan 3
ip access-group vlan3 in

ip access-list extended vlan4
deny ip any 2.2.2.0 0.0.0.255
deny ip any 3.3.3.0 0.0.0.255
permit ip any any

int vlan 4
ip access-group vlan4 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎04-23-2020

Besides the possibility of using ACLs, to control which VLANs can access other VLANs, another option might be to use VRFs (often modern Cisco switches support at least a "lite" version).

With VRFs, each VLAN would be in its own VRF and you would allow VLAN 1 to exchange routes with the other VLANs (i.e. so VLAN 1 would know of the other VLAN routes, but the other VLANs would only know of VLAN 1 routes).

Why use VRFs rather than ACLs? Possibly a bit easier to maintain.