Solved: Catalyst 3560

isaacmora · ‎09-22-2012

I have a cisco catalyst 3560 and i want to know how to block communication between two diferent vlan

cadet alain · ‎09-24-2012

Hi,

Let's suppose you want vlan 2 and vlan 10 not to communicate between them, just do something like this:

int vlan 2

ip address 192.168.2.1 255.255.255.0

ip access-group 199 in

int vlan 10

ip address 192.168.10.1 255.255.255.0

access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 199 permit ip any any

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Tom Watts · ‎09-22-2012

Hi Isaac, in a layer 2 environment, intervlan communication does not happen. All requests go to the router then the router permits the intervlan communication. You may apply an access list on the interface connecting to the router.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Daniele Giordano · ‎09-23-2012

If you use the 3560 as Layer 3 switch with interface VLAN, you can use ACL to stop intervlan communication or the command "no ip routing" to disable L3 features.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

Regards.

isaacmora · ‎09-23-2012

hi thomas

the catalyst 3560 is a L3 switch, i want to know how i canuse ACL to stop intervlan communication

cadet alain · ‎09-24-2012

Hi,

Let's suppose you want vlan 2 and vlan 10 not to communicate between them, just do something like this:

int vlan 2

ip address 192.168.2.1 255.255.255.0

ip access-group 199 in

int vlan 10

ip address 192.168.10.1 255.255.255.0

access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 199 permit ip any any

Regards.

Alain

Don't forget to rate helpful posts.

Johnnatan_Rodriguez_Miranda · ‎09-24-2012

Good morning isaac mora

With the command “ip access-group (ACL-Name) in” you can block access to other vlan,

For example, let's say you have 4 VLAN's and a WAN conection.

Vlan10 192.168.10.0/24

Vlan20 192.168.20.0/24

Vlan30 30.0.0.0/8

Vlan40 192.168.0.0/16

Wan 10.10.10.0/30

This is the configuration:

ena

config t

ip routing -->Enable routing features

vlan 10 -->Creates your Vlan10

name Block

exit

ip access-list extended DenyVLAN-10 -->creates an ACL to deny the networks (VLAN's)

deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 -->denies vlan 20

deny ip 192.168.10.0 0.0.0.255 30.0.0.0 0.255.255.255 -->denies vlan 30

deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.255.255 -->denies vlan 40

permit ip any any -->allows access to the internet

exit

interface Vlan10

ip address 192.168.10.254 255.255.255.0

ip access-group DenyVLAN-10 in -->associate the ACL to VLAN10

interface Vlan20

ip address 192.168.20.254 255.255.255.0

exit

interface Vlan30

ip address 30.0.0.0 255.0.0.0

exit

interface Vlan40

ip address 192.168.40.254 255.255.0.0

exit

I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.

Greetings,

Johnnatan Rodriguez Miranda