cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

186
Views
0
Helpful
3
Replies
Highlighted
Beginner

Control VLAN access

Hi,

 

I am building a small LAN that makes use of several different VLANs (2, 10, 20 & 30) along with interVLAN trunking via a Layer 3 Switch.

 

I am trying to stop devices in VLAN 10, 20 and 30 from communicating with each other, but allowing for devices in VLAN 2 access to each VLAN.

 

Would using an access list to block the IP addresses in the subnets be the best way to ensure the VLANs cannot communicate? Is there any better way I could have achieved the same result?

The following config I have applied to the Layer 3 switch

ip access-list extended VLAN30
permit ip 10.5.3.0 0.0.0.15 any
deny ip 10.5.3.16 0.0.0.15 any
deny ip 10.5.3.64 0.0.0.63 any

int vlan30
ip access-group VLAN30 out
ip access-list extended VLAN20
permit ip 10.5.3.0 0.0.0.15 any
deny ip 10.5.3.32 0.0.0.15 any
deny ip 10.5.3.64 0.0.0.63 any

int vlan20
ip access-group VLAN20 out
ip access-list extended VLAN10
permit ip 10.5.3.0 0.0.0.15 any
deny ip 10.5.3.16 0.0.0.15 any
deny ip 10.5.3.32 0.0.0.15 any

int vlan10
ip access-group VLAN10 out

I have attached a network diagram to help visualize my network

 

Network Map.JPG

 

Any help is much appreciated

3 REPLIES 3
Highlighted
Collaborator

Re: Control VLAN access


you can zip and attach your PT file here; we can test it; not sure if ACLs on L3 sw work in PT.
other way would be via Router on a stick where router does routing for vlans instead of L3 sw
Highlighted
VIP Mentor

Re: Control VLAN access

Hello


@RhysDmll6778 wrote:

I am trying to stop devices in VLAN 10, 20 and 30 from communicating with each other, but allowing for devices in VLAN 2 access to each VLAN.


ip access-list extended vlan10_novl20-30
deny ip 10.5.3.16 0.0.0.15 any
deny ip 10.5.3.32 0.0.0.15 any
permit ip any any


int vlan 10
ip access-group vlan10_novl20-30 out

 

ip access-list extended vlan20_novlan10-30
deny ip 10.5.3.64 0.0.0.15 any
deny ip 10.5.3.32 0.0.0.15 any
permit ip any any

int vlan 20
ip access-group vlan20_novlan10-30 out



ip access-list extended vlan30_novlan20-30
deny ip 10.5.3.64 0.0.0.15 any
deny ip 10.5.3.16 0.0.0.15 any
permit ip any any

int vlan 30
ip access-group vlan30_novlan20-30 out

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
VIP Mentor

Re: Control VLAN access

Hello,

 

is this actually a Packet Tracer project, or a real multilayer switch ? If it is a real switch, you could also consider VACLs...

CreatePlease to create content
Content for Community-Ad