cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

393
Views
5
Helpful
5
Replies
Beginner

Catalyst 3560

I have a cisco catalyst 3560 and i want to know how to block communication between two diferent vlan

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Advisor

Catalyst 3560

Hi,

Let's suppose  you want vlan 2 and vlan 10 not to communicate between them, just do something like this:

int vlan 2

ip address 192.168.2.1 255.255.255.0

ip access-group 199 in

int vlan 10

ip address 192.168.10.1 255.255.255.0

access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 199 permit ip any any

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
5 REPLIES 5
Advocate

Catalyst 3560

Hi Isaac, in a layer 2 environment, intervlan communication does not happen. All requests go to the router then the router permits the intervlan communication. You may apply an access list on the interface connecting to the router.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Rising star

Catalyst 3560

If you use the 3560 as Layer 3 switch with interface VLAN, you can use ACL to stop intervlan communication or the command "no ip routing" to disable L3 features.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

Regards.

Beginner

Catalyst 3560

hi thomas

the catalyst 3560 is a L3 switch, i want to know how i canuse ACL to stop intervlan communication

Advisor

Catalyst 3560

Hi,

Let's suppose  you want vlan 2 and vlan 10 not to communicate between them, just do something like this:

int vlan 2

ip address 192.168.2.1 255.255.255.0

ip access-group 199 in

int vlan 10

ip address 192.168.10.1 255.255.255.0

access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 199 permit ip any any

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Catalyst 3560

Good morning isaac mora

With the command  “ip access-group (ACL-Name) in” you can block access to other vlan,

For example, let's say you have 4 VLAN's  and a WAN conection.

Vlan10  192.168.10.0/24

Vlan20  192.168.20.0/24

Vlan30  30.0.0.0/8

Vlan40  192.168.0.0/16

Wan     10.10.10.0/30

This is the configuration:

ena

config t

ip routing                                                                                            -->Enable routing features

vlan 10                                                                                                                             -->Creates your Vlan10

name Block

exit

ip access-list extended DenyVLAN-10                                                      -->creates an ACL to deny the networks (VLAN's)

deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255                              -->denies vlan 20

deny ip 192.168.10.0 0.0.0.255 30.0.0.0 0.255.255.255                              -->denies vlan 30

deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.255.255                    -->denies vlan 40

permit ip any any                                                                                                              -->allows access to the internet

exit

interface Vlan10

ip address 192.168.10.254 255.255.255.0

ip access-group DenyVLAN-10 in                                                              -->associate the ACL to VLAN10

interface Vlan20

ip address 192.168.20.254 255.255.255.0

exit

interface Vlan30

ip address 30.0.0.0 255.0.0.0

exit

interface Vlan40

ip address 192.168.40.254 255.255.0.0

exit

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Greetings,

Johnnatan Rodriguez Miranda

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards