Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
3
Replies

Control VLAN access

RhysDmll6778
Level 1
Level 1

‎05-26-2020 12:05 PM

Hi,

 

I am building a small LAN that makes use of several different VLANs (2, 10, 20 & 30) along with interVLAN trunking via a Layer 3 Switch.

 

I am trying to stop devices in VLAN 10, 20 and 30 from communicating with each other, but allowing for devices in VLAN 2 access to each VLAN.

 

Would using an access list to block the IP addresses in the subnets be the best way to ensure the VLANs cannot communicate? Is there any better way I could have achieved the same result?

The following config I have applied to the Layer 3 switch

ip access-list extended VLAN30
permit ip 10.5.3.0 0.0.0.15 any
deny ip 10.5.3.16 0.0.0.15 any
deny ip 10.5.3.64 0.0.0.63 any

int vlan30
ip access-group VLAN30 out
ip access-list extended VLAN20
permit ip 10.5.3.0 0.0.0.15 any
deny ip 10.5.3.32 0.0.0.15 any
deny ip 10.5.3.64 0.0.0.63 any

int vlan20
ip access-group VLAN20 out
ip access-list extended VLAN10
permit ip 10.5.3.0 0.0.0.15 any
deny ip 10.5.3.16 0.0.0.15 any
deny ip 10.5.3.32 0.0.0.15 any

int vlan10
ip access-group VLAN10 out

I have attached a network diagram to help visualize my network

 

Network Map.JPG

 

Any help is much appreciated

Labels:
0 Helpful
3 Replies 3

Martin L
VIP
VIP

‎05-26-2020 12:18 PM


you can zip and attach your PT file here; we can test it; not sure if ACLs on L3 sw work in PT.
other way would be via Router on a stick where router does routing for vlans instead of L3 sw
0 Helpful

paul driver
VIP
VIP

‎05-26-2020 02:01 PM - edited ‎05-26-2020 02:03 PM

Hello

@RhysDmll6778 wrote:

I am trying to stop devices in VLAN 10, 20 and 30 from communicating with each other, but allowing for devices in VLAN 2 access to each VLAN.

ip access-list extended vlan10_novl20-30
deny ip 10.5.3.16 0.0.0.15 any
deny ip 10.5.3.32 0.0.0.15 any
permit ip any any


int vlan 10
ip access-group vlan10_novl20-30 out

 

ip access-list extended vlan20_novlan10-30
deny ip 10.5.3.64 0.0.0.15 any
deny ip 10.5.3.32 0.0.0.15 any
permit ip any any

int vlan 20
ip access-group vlan20_novlan10-30 out



ip access-list extended vlan30_novlan20-30
deny ip 10.5.3.64 0.0.0.15 any
deny ip 10.5.3.16 0.0.0.15 any
permit ip any any

int vlan 30
ip access-group vlan30_novlan20-30 out

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP

‎05-26-2020 02:48 PM

Hello,

 

is this actually a Packet Tracer project, or a real multilayer switch ? If it is a real switch, you could also consider VACLs...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card