Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5857
Views
5
Helpful
4
Replies

Disable Inter-VLAN Communication

Go to solution
Gentry
Level 1
Level 1

‎05-31-2016 03:20 PM - edited ‎03-08-2019 06:01 AM

Hi,

We have a 3750 which act as our core router and several 2960s and 4948 as L2 device. We have 3 VLANs (10-data 172.18.80.0, 20-voice 172.18.82.1 and 30-wifi 192.175.31.0 dot1x).Wifi is set up to authenticate to the DC with the same subnet but the problem is I'm able to access the 192.175.31.0 network from the 172.18.80.0 network. What would be the best way to restrict access to VLAN 30 from VLANs 10 and 20? What would be the right access-list command to accomplish this. Any help is greatly appreciated. Thanks

3750:
interface GigabitEthernet1/0/12
description ***4948_TRUNK***
switchporttrunk encapsulation dot1q
switchporttrunk nativevlan10
switchporttrunk allowedvlan10,20,30
switchportmode trunk

interface Vlan30
description DOT1.X WIFI
ip address 192.175.31.1 255.255.255.0 secondary
ip address 192.175.30.1 255.255.255.0
ip helper-address 192.175.31.5

4948:
interface GigabitEthernet1/4
description ***TRUNK_TO_3750_PORT_12***
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30
switchport mode trunk

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Carlos Villagran
Cisco Employee
Cisco Employee
In response to Gentry

‎05-31-2016 10:41 PM

Hi!

Can you try:

interface Vlan30
description DOT1.X WIFI
ip address 192.175.31.1 255.255.255.0 secondary
ip address 192.175.30.1 255.255.255.0
ip helper-address 192.175.31.5

ip access-group ISOLATED in

ip access-list extended ISOLATED
deny ip  any 172.18.80.0 0.0.0.255 
deny ip  any 172.18.82.0 0.0.0.255 
permit ip any any

Hope it helps, best regards!

JC


View solution in original post

4 Replies 4

Go to solution
Carlos Villagran
Cisco Employee
Cisco Employee

‎05-31-2016 04:53 PM

Hi!

You can configure a RACL which will deny traffic from those VLANs to communicate with the VLAN30 interface, it should be something like this:

interface Vlan30
description DOT1.X WIFI
ip address 192.175.31.1 255.255.255.0 secondary
ip address 192.175.30.1 255.255.255.0
ip helper-address 192.175.31.5

ip access-group ISOLATED in

ip access-list standard ISOLATED

deny 172.18.80.0 255.255.255.0     

deny 172.18.82.1 255.255.255.0        

permit any 

Hope it helps, best regards!

JC

0 Helpful

Go to solution
Gentry
Level 1
Level 1
In response to Carlos Villagran

‎05-31-2016 08:11 PM

JC,

I tried your suggested config but I can still ping and access the AP from VLAN 10. I also tried this config - but still no luck. Any other suggestion?

ip access-list extended BAN_VLAN_10
deny ip 172.18.80.0 0.0.0.255 any
deny ip 172.18.82.0 0.0.0.255 any
permit ip any any
!
interface Vlan30
ip access-group BAN_VLAN_10 in

I also tried changing it to "'out" and still traffic is not restricted. 

interface Vlan30
ip access-group BAN_VLAN_10 out 

0 Helpful

Go to solution
Carlos Villagran
Cisco Employee
Cisco Employee
In response to Gentry

‎05-31-2016 10:41 PM

Hi!

Can you try:

interface Vlan30
description DOT1.X WIFI
ip address 192.175.31.1 255.255.255.0 secondary
ip address 192.175.30.1 255.255.255.0
ip helper-address 192.175.31.5

ip access-group ISOLATED in

ip access-list extended ISOLATED
deny ip  any 172.18.80.0 0.0.0.255 
deny ip  any 172.18.82.0 0.0.0.255 
permit ip any any

Hope it helps, best regards!

JC


Go to solution
Gentry
Level 1
Level 1

‎06-01-2016 08:21 AM

Thanks JC!!! It's working now. It's blocking the traffic originating from VLANs 10 and 20. I appreciate the feedback.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card