Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2587
Views
0
Helpful
5
Replies

blocking traffic on one vlan from other vlans

riderfaiz
Level 1
Level 1

‎07-10-2013 11:32 AM - edited ‎03-07-2019 02:20 PM

Hi Good morning everyone! Thank you for your help in advance. Hope you can help~~

Now I would like to setup a new vlan on our network/core switch (we have some other vlans running). But in the new vlan, we do not want to allow other users from other vlans to access to it. May you  mind if you would help to guide me thru the configuration on the core switch?

By the way, currently...al other vlans can communicate with between and I need to keep the same state for the rest of the vlan

Thank you very much for your help.

Takami Chiro



Labels:
0 Helpful
5 Replies 5

Simon Brooks
Level 1
Level 1

‎07-10-2013 03:42 PM

Does the machines in the vlan need any access outside the vlan at all?

If not then just have flat layer 2 vlan with no default gateway.

If they do then have an outbound access list on that vlan interface to prevent all the networks you wish to block.


Sent from Cisco Technical Support Android App

0 Helpful

ossandov
Level 1
Level 1

‎07-10-2013 03:59 PM

Hi Bobson

I understand that you want to create a new vlan but id does't have to have connection with the rest of the all vlans, in this case you could configure a Vlan Access List, tahat could be the better option, tell me to show you some examples

0 Helpful

riderfaiz
Level 1
Level 1
In response to ossandov

‎07-10-2013 04:21 PM

Hi Simon and Oscar, thank you for the response. Oscar...may you mind if you would show me the config example? The new vlan will have to access internet but do not want other vlans to access to the new vlan...

I do not want to mess up the production network so the demo would be great

Thank yoU!

Takami Chiro

0 Helpful

ossandov
Level 1
Level 1
In response to riderfaiz

‎07-10-2013 04:42 PM

Hi, perfect.

The example would be the next:

To have access to internet and drop the all traffic only we have to define the addresses to be droped (the vlans

Define a VLAN Access Map

Switch(config)# vlan access-map  (name vacl) (no. seq.)

Define the IP ACL (the ACL has to be configured prevously)

Switch(config-access-map)# match ip address (ACL)

Define the action

Switch(config-access-map)# action ( drop | forward )

Apply the vlan map to a specific vlan

Switch(config)# vlan filter (name vacl) vlan-list (vlan’s)

Example

!

Vlan access-map CiscoVACL 10

      action drop

      match ip address 1

Vlan access-map CiscoVACL 20

      action forward

Vlan filter CiscoVACL vlan-list 1-4096

Vlan internal allocation policy ascending

!

Access-list 1 permit 10.1.0.0 0.0.255.255   <---- you should configure the all vlans in this ACL

!

I really hope to help you

0 Helpful

Simon Brooks
Level 1
Level 1
In response to ossandov

‎07-11-2013 01:29 AM

Oscar forgive me here, but how does a layer 2 VACL deny traffic from other vlans entering this vlan?  A VACL is used to filter traffic within the same VLAN not between VLANS, a standard or extended ACL should be used on the layer 3 vlan interface outbound.

Please elaborate your example above?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card