cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
630
Views
0
Helpful
7
Replies

vlan

eng_adel273
Level 1
Level 1

I have 5 vlans

 

vlan 100

vlan 101

vlan 102

vlan 103

vlan 104

 

1 - I need all vlans can access vlan 104 & internet

2- I need all other vlans 100,101,102,103 to prevent each other

 

 

 

7 Replies 7

Hi @eng_adel273

The solution for that depends on each device you have on the network. You need to have a layer 3 device or a Firewall. 

 To isolate vlan you can use the concept of Isolated Vlan present on IOS and to allow them to communicate you can use Intervlan routing either using a router or a firewall.

 

 

-If I helped you somehow, please, rate it as useful.-

 

Hello,

 

the below are access list that prevent and allow inter Vlan access (IP addressing is probably different from yours). I am not sure if this is the shortest way to configure the access list...post your addressing scheme if possible.

 

interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in

 

interface Vlan101
ip address 192.168.101.1 255.255.255.0
ip access-group 101 in

 

interface Vlan102
ip address 192.168.102.1 255.255.255.0
ip access-group 102 in

 

interface Vlan103
ip address 192.168.103.1 255.255.255.0
ip access-group 103 in

 

interface Vlan104
ip address 192.168.104.1 255.255.255.0

 

access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny ip 192.168.102.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny ip 192.168.103.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip any any

 

access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 101 deny ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 101 deny ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 101 permit ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 permit ip any any

 

access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 deny ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 102 deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 102 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip any any

 

access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 103 deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 103 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 103 permit ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 permit ip any any

Hi

You can use one of these methods:

- Extended ACL as Georg mentioned 

- Use VACL (Vlan ACL)   ; supported on specific models. 

- Install a Firewall where it is the gateway for each VLANs. 

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Thank you for your request

 

I need to know how to do this by

- Install a Firewall where it is the gateway for each VLANs. 

 

I used the following command , with ip of firewall by failed

ip dhcp pool hr

 default-router "192.168.15.52"
 network 192.168.201.0 255.255.255.0

dns-server "192.168.15.53,192.168.15.55"

You can use your router as a firewall or move your vlan gateway to your firewall..

How can I move vlan gateway to firewall

Your firewall need to have the necessary license. It will be quite a bit changes to your network.
For cisco ASA series, there is a limit number of vlans. However based on your current knowledge, it is better to use George solution.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: