cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1546
Views
1
Helpful
5
Replies

Blocking Inter-VLAN Routing while allowing Internet access

Elsho
Level 1
Level 1

Hello,

I have a network with 16 VLANs with network IPs that range from 192.168.10.0 to 192.168.160.0 connected to a ISR4331 router with RoaS set up to allow Internet connection. But I want those VLANs to not be able to communicate with each other except for 1.
I have tried a bunch of different ACL setups but all of them ended up not blocking inter-VLAN Routing.
How should I set up the ACLs in order to achieve this?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hello
An Routed ACL should be applicable applied to each subinterface of the ROAS 

Example:
ip access-list extended RACL-VL10

deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any

int x/x.10

description vlan 10
encapsulation dot1q 10
ip access-group RACL-VL10 in


ip access-list extended RACL-VL11
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any

int x/x.11

description vlan 11
encapsulation dot1q 11
ip access-group RACL-VL11 in

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

5 Replies 5

M02@rt37
VIP
VIP

Hello @Elsho,

Please share your ACL and where do you apply it ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Pidcock
Level 1
Level 1

I suppose you could create an ACL that denies all your specified subnets followed by a permit any at the end.  Apply this inbound on each of your VLANs.  Share your configuration if you can.

Richard W. Pidcock

Hello
An Routed ACL should be applicable applied to each subinterface of the ROAS 

Example:
ip access-list extended RACL-VL10

deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any

int x/x.10

description vlan 10
encapsulation dot1q 10
ip access-group RACL-VL10 in


ip access-list extended RACL-VL11
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any

int x/x.11

description vlan 11
encapsulation dot1q 11
ip access-group RACL-VL11 in

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I like Paul's suggestion of an access list per interface. But if the various subnets are destination addresses then the access-group should specify in rather than out. And if the acl is specific to the interface then it might specify the interface subnet as the source rather than using any.

HTH

Rick

Hello @Richard Burts 
Absolute;y correct, thats a typo on my part so apologises to the OP, I didn't even spot it as I posted it. ( edited accordingly) 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul