Re: vlan

eng_adel273 · ‎11-16-2017

I have 5 vlans

vlan 100

vlan 101

vlan 102

vlan 103

vlan 104

1 - I need all vlans can access vlan 104 & internet

2- I need all other vlans 100,101,102,103 to prevent each other

Flavio Miranda · ‎11-16-2017

Hi @eng_adel273

The solution for that depends on each device you have on the network. You need to have a layer 3 device or a Firewall.

To isolate vlan you can use the concept of Isolated Vlan present on IOS and to allow them to communicate you can use Intervlan routing either using a router or a firewall.

-If I helped you somehow, please, rate it as useful.-

Georg Pauwen · ‎11-16-2017

Hello,

the below are access list that prevent and allow inter Vlan access (IP addressing is probably different from yours). I am not sure if this is the shortest way to configure the access list...post your addressing scheme if possible.

interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in

interface Vlan101
ip address 192.168.101.1 255.255.255.0
ip access-group 101 in

interface Vlan102
ip address 192.168.102.1 255.255.255.0
ip access-group 102 in

interface Vlan103
ip address 192.168.103.1 255.255.255.0
ip access-group 103 in

interface Vlan104
ip address 192.168.104.1 255.255.255.0

access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny ip 192.168.102.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny ip 192.168.103.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip any any

access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 101 deny ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 101 deny ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 101 permit ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 permit ip any any

access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 deny ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 102 deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 102 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip any any

access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 103 deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 103 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 103 permit ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 permit ip any any

Julio E. Moisa · ‎11-16-2017

Hi

You can use one of these methods:

- Extended ACL as Georg mentioned

- Use VACL (Vlan ACL) ; supported on specific models.

- Install a Firewall where it is the gateway for each VLANs.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

eng_adel273 · ‎11-21-2017

Thank you for your request

I need to know how to do this by

- Install a Firewall where it is the gateway for each VLANs.

I used the following command , with ip of firewall by failed

ip dhcp pool hr

default-router "192.168.15.52"
network 192.168.201.0 255.255.255.0

dns-server "192.168.15.53,192.168.15.55"

whitegrape · ‎11-21-2017

You can use your router as a firewall or move your vlan gateway to your firewall..

eng_adel273 · ‎11-21-2017

How can I move vlan gateway to firewall

whitegrape · ‎11-21-2017

Your firewall need to have the necessary license. It will be quite a bit changes to your network.
For cisco ASA series, there is a limit number of vlans. However based on your current knowledge, it is better to use George solution.