Solved: Blocking Inter-VLAN Routing while allowing Internet access

Elsho · ‎10-25-2023

Hello,

I have a network with 16 VLANs with network IPs that range from 192.168.10.0 to 192.168.160.0 connected to a ISR4331 router with RoaS set up to allow Internet connection. But I want those VLANs to not be able to communicate with each other except for 1.
I have tried a bunch of different ACL setups but all of them ended up not blocking inter-VLAN Routing.
How should I set up the ACLs in order to achieve this?

Thanks in advance.

paul driver · ‎10-25-2023

Hello
An Routed ACL should be applicable applied to each subinterface of the ROAS

Example:
ip access-list extended RACL-VL10
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any

int x/x.10
description vlan 10
encapsulation dot1q 10
ip access-group RACL-VL10 in

ip access-list extended RACL-VL11
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any

int x/x.11
description vlan 11
encapsulation dot1q 11
ip access-group RACL-VL11 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

M02@rt37 · ‎10-25-2023

Hello @Elsho,

Please share your ACL and where do you apply it ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Pidcock · ‎10-25-2023

I suppose you could create an ACL that denies all your specified subnets followed by a permit any at the end. Apply this inbound on each of your VLANs. Share your configuration if you can.

Richard W. Pidcock

paul driver · ‎10-25-2023

Hello
An Routed ACL should be applicable applied to each subinterface of the ROAS

Example:
ip access-list extended RACL-VL10
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any

int x/x.10
description vlan 10
encapsulation dot1q 10
ip access-group RACL-VL10 in

ip access-list extended RACL-VL11
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
etc...
permit ip any any

int x/x.11
description vlan 11
encapsulation dot1q 11
ip access-group RACL-VL11 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎10-25-2023

I like Paul's suggestion of an access list per interface. But if the various subnets are destination addresses then the access-group should specify in rather than out. And if the acl is specific to the interface then it might specify the interface subnet as the source rather than using any.

HTH

Rick

paul driver · ‎10-25-2023

Hello @Richard Burts
Absolute;y correct, thats a typo on my part so apologises to the OP, I didn't even spot it as I posted it. ( edited accordingly)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul