10-25-2023 02:55 AM
Hello,
I have a network with 16 VLANs with network IPs that range from 192.168.10.0 to 192.168.160.0 connected to a ISR4331 router with RoaS set up to allow Internet connection. But I want those VLANs to not be able to communicate with each other except for 1.
I have tried a bunch of different ACL setups but all of them ended up not blocking inter-VLAN Routing.
How should I set up the ACLs in order to achieve this?
Thanks in advance.
Solved! Go to Solution.
10-25-2023 04:12 AM - edited 10-25-2023 06:57 AM
Hello
An Routed ACL should be applicable applied to each subinterface of the ROAS
Example:
ip access-list extended RACL-VL10
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any
int x/x.10
description vlan 10
encapsulation dot1q 10
ip access-group RACL-VL10 in
ip access-list extended RACL-VL11
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any
int x/x.11
description vlan 11
encapsulation dot1q 11
ip access-group RACL-VL11 in
10-25-2023 03:02 AM - edited 10-25-2023 03:03 AM
Hello @Elsho,
Please share your ACL and where do you apply it ?
10-25-2023 04:07 AM
I suppose you could create an ACL that denies all your specified subnets followed by a permit any at the end. Apply this inbound on each of your VLANs. Share your configuration if you can.
10-25-2023 04:12 AM - edited 10-25-2023 06:57 AM
Hello
An Routed ACL should be applicable applied to each subinterface of the ROAS
Example:
ip access-list extended RACL-VL10
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any
int x/x.10
description vlan 10
encapsulation dot1q 10
ip access-group RACL-VL10 in
ip access-list extended RACL-VL11
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any
int x/x.11
description vlan 11
encapsulation dot1q 11
ip access-group RACL-VL11 in
10-25-2023 06:30 AM
I like Paul's suggestion of an access list per interface. But if the various subnets are destination addresses then the access-group should specify in rather than out. And if the acl is specific to the interface then it might specify the interface subnet as the source rather than using any.
10-25-2023 06:59 AM
Hello @Richard Burts
Absolute;y correct, thats a typo on my part so apologises to the OP, I didn't even spot it as I posted it. ( edited accordingly)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide