Enabling but also Blocking Inter-VLAN Routing on a Catalyst 9404R

RBenke · ‎06-09-2022

This is a what I currently have on my 9404R

interface Vlan1

description "Red VLAN"

ip address 10.1.0.1 255.255.240.0

interface Vlan2

description "Blue VLAN"

ip address 10.1.16.1 255.255.240.0

interface Vlan3

description "Green VLAN"

ip address 10.1.252.1 255.255.240.0

interface Vlan4

description "Purple VLAN"

ip address 10.1.32.1 255.255.240.0

These are my goals

1) Devices on VLAN 1 and VLAN 2 need to be able to communicate with each other, but need to remain separate broadcast domains.

2) VLAN 3 must be not be able to communicate with any other VLAN, or vice versa.

3) VLAN 4 must be not be able to communicate with any other VLAN, or vice versa.

4) (Added in response to a response below) VLAN 3 and VLAN 4 require Internet access.

I understand that this command will accomplish the first goal, which will enable inter-VLAN routing, but not for DCHP broadcasts:

switch(config)#ip routing

That's cool. However, doing this creates the need to isolate VLANs 3 and 4.

This is my question

What would be the best way to isolate VLANs 3 and 4 from each other and from VLANs 1 and 2? I've done a bunch of research. It seems there's more than one way to do this. I could create an ACL, but it also seems there are other ways. I'm looking for advice on the best approach to take as well as the specific commands to accomplish it.

Thanks.

MHM Cisco World · ‎06-09-2022

Dhcp broadcast end in l3 interface boundary which is vlan svi, so dhcp broadcast is isolated.

For other vlan 3,4

You can use acl

Or

Isolated it with vrf, meaing config different vrf than global this totally isolated your vlan.

David Ruess · ‎06-09-2022

Hello,

1. Each VLAN interface is its own separate broadcast domain so its already done.

2-3. To isolate traffic the way you want you could do an ACL and apply it to the VLAN interface denying traffic from entering or leaving. See below:

ip access-list extended 101 deny ip any any
interface vlan 3
ip access-group 101 in
ip access-group 101 out

interface vlan 2
ip access-group 101 in
ip access-group 101 out

However if you need VLAN 3 and 4 to reach other things like an outside network then you could permit that specifically in the ACL you applied (that could be tedious if you have to modify it every time you need them to access another resource outside its subnet) Or you could create VRFs for the VLAN interfaces separating their routing table. See below:

ip vrf vlan3

interface vlan 3

ip vrf forwarding vlan3 <--- this deletes the IP so you must re-add it.

description "Green VLAN"

ip address 10.1.252.1 255.255.240.0

ip vrf vlan 4

interface vlan 4

ip vrf forwarding vlan4 <--- this deletes the IP so you must re-add it.

description "Purple VLAN"

ip address 10.1.32.1 255.255.240.0

To verify with VRFs you need to put in VRF specific commands like show ip route vrf <name> since it logically separates routing tables and networks.

Hope that helps

-David

Jon Marshall · ‎06-09-2022

If vlans 3 and 4 should not communicate with anything outside their own vlans then don't create L3 vlan interfaces for those vlans.

However if they do need to talk to other devices eg internet then as David says deny traffic to the other vlan IP subnets and then permit ip any any for the internet.

Jon