Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
2
Replies

Block trafic between VLAN on the same interface

Go to solution
Sylvain Brault
Level 1
Level 1

‎09-25-2013 01:21 AM - edited ‎03-07-2019 03:40 PM

Hello everyone,

I have 3 VLANs on the same interface and would like to block all the trafic between the VLAN 3 (Wifi access) and the two others ones VLAN 1 & 2 for security reason.

As the routing is automatic between the VLANS on the same interface, how can I block the trafic? Do I need to use access-list ?

Thanks for your help!

Here is an extract of my configuration :

interface GigabitEthernet0/0

description Fiber Swisscomm

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no mop enabled

!

interface GigabitEthernet0/1

description LAN-Greenwich

no ip address

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1.1

description LAN Greenwich

encapsulation dot1Q 1 native

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface GigabitEthernet0/1.2

description IPC

encapsulation dot1Q 2

ip address 192.168.1.254 255.255.255.0

!

interface GigabitEthernet0/1.3

description Wifi Greenwich

encapsulation dot1Q 3

ip address 192.168.2.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stephen.stack
Level 4
Level 4

‎09-25-2013 01:34 AM

Hi,

Yes, you would need an access list. something like this

ip access-list extended RESTRICT_WIFI

deny ip any 192.168.0.0 0.0.0.255

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

!

interface GigabitEthernet0/1.3

ip access-group RESTRICT_WIFI in

!

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

View solution in original post

0 Helpful
2 Replies 2

Go to solution
stephen.stack
Level 4
Level 4

‎09-25-2013 01:34 AM

Hi,

Yes, you would need an access list. something like this

ip access-list extended RESTRICT_WIFI

deny ip any 192.168.0.0 0.0.0.255

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

!

interface GigabitEthernet0/1.3

ip access-group RESTRICT_WIFI in

!

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Go to solution
Sylvain Brault
Level 1
Level 1
In response to stephen.stack

‎09-25-2013 02:34 AM

Thanks for your reply!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card