10-16-2008 05:07 AM - edited 03-06-2019 01:57 AM
Hi all,
Well in my network Intervlan is working perfectly. We have about 80 switches in a network, includes all Access as well as Distribution. Now I have a case in hand where we have to stop all Vlan 20 users from accessing all vlan 30 users. And they in curent scenario able to access internet which should nopt get hampered. Well these both vlans are present on almost 30 odd switches and they all are getting connected through Core switches. How can I acheieve it, can we discuss all the possible solutions for the same irrespective of network. In general if I want to achieve this how can i do it ?
Please help me on this.
Thanking you.
Regards,
Mangesh.
Solved! Go to Solution.
10-16-2008 05:42 AM
Private vlans and VACL's are generally used for traffic between members of the same vlan not between members of different vlans.
You could use a firewall instead but it's the same principle.
Jon
10-16-2008 05:32 AM
Mangesh
Doesn't matter how many switches you have because it is the L3 interfaces for these vlans where you apply the access-list list.
So lets say
vlan 20 = 192.168.5.0/24
vlan 30 = 192.168.6.0/24
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 permit ip any any
int vlan 20
ip access-group 101 in
The above will stop any traffic from vlan 20 to vlan 30 but allow all other traffic from vlan 20 to any other destination.
Jon
10-16-2008 05:39 AM
Hi Jon,
Thanks for your reply, well that is absolutely correct. Well besides ACL can we do it in any other way just for extra knowledge I am asking. If don't mind can you please suggest other possible solutions besides this.
Like many things were coming in my mind like Privte vlans then the protected optio then Vacl if possible...
Thanking you.
Regards,
Mangesh.
10-16-2008 05:42 AM
Private vlans and VACL's are generally used for traffic between members of the same vlan not between members of different vlans.
You could use a firewall instead but it's the same principle.
Jon
10-16-2008 06:18 AM
Hi Jon,
Thanks for your reply.
Thanks for all the help.
Thanks John to you too.
Regards,
Mangesh.
10-16-2008 05:33 AM
Use ACLs on vlan20 to block access to vlan30's subnet. That's the easiest way.
--John
10-16-2008 06:21 AM
You may also want to consider blocking ICMP in your ACL in addition to the IP block you've defined.
Bill
10-16-2008 06:23 AM
Bill
Not sure what you mean here. If you block IP you automatically block all ICMP as well.
Jon
10-16-2008 06:29 AM
hi Bill,
yeah I will do that for sure. Thanks for your input.
Regards,
Mangesh.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide