11-16-2017 12:47 AM - edited 03-05-2019 09:29 AM
I have 5 vlans
vlan 100
vlan 101
vlan 102
vlan 103
vlan 104
1 - I need all vlans can access vlan 104 & internet
2- I need all other vlans 100,101,102,103 to prevent each other
11-16-2017 01:15 AM
Hi @eng_adel273
The solution for that depends on each device you have on the network. You need to have a layer 3 device or a Firewall.
To isolate vlan you can use the concept of Isolated Vlan present on IOS and to allow them to communicate you can use Intervlan routing either using a router or a firewall.
-If I helped you somehow, please, rate it as useful.-
11-16-2017 01:27 AM - edited 11-16-2017 01:30 AM
Hello,
the below are access list that prevent and allow inter Vlan access (IP addressing is probably different from yours). I am not sure if this is the shortest way to configure the access list...post your addressing scheme if possible.
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
interface Vlan101
ip address 192.168.101.1 255.255.255.0
ip access-group 101 in
interface Vlan102
ip address 192.168.102.1 255.255.255.0
ip access-group 102 in
interface Vlan103
ip address 192.168.103.1 255.255.255.0
ip access-group 103 in
interface Vlan104
ip address 192.168.104.1 255.255.255.0
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 100 deny ip 192.168.102.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 100 deny ip 192.168.103.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 101 deny ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 101 deny ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 101 permit ip 192.168.104.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 deny ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 102 deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 102 permit ip 192.168.104.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 deny ip 192.168.100.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 103 deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 deny ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 103 deny ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 103 permit ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 103 permit ip any any
11-16-2017 02:30 AM - edited 11-16-2017 02:40 AM
Hi
You can use one of these methods:
- Extended ACL as Georg mentioned
- Use VACL (Vlan ACL) ; supported on specific models.
- Install a Firewall where it is the gateway for each VLANs.
:-)
11-21-2017 07:29 AM
Thank you for your request
I need to know how to do this by
- Install a Firewall where it is the gateway for each VLANs.
I used the following command , with ip of firewall by failed
ip dhcp pool hr
default-router "192.168.15.52"
network 192.168.201.0 255.255.255.0
dns-server "192.168.15.53,192.168.15.55"
11-21-2017 08:06 AM
11-21-2017 08:32 AM
How can I move vlan gateway to firewall
11-21-2017 08:35 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: