01-27-2012 06:17 AM - edited 03-07-2019 04:35 AM
Hi,
I have a layer 3 switch and i enabled IP routing on it. Now i wish that 2 vlan don't route between them and the traffic is automatically forwarded to the gateway. Is this possible?
Thanks
Etienne
Solved! Go to Solution.
01-27-2012 07:32 AM
Sure you can to disable intervlan routing between two vlans.
It is called vlan access-map and follow the example shown below.
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description VLan connected to Firewall for accessing Interent.
ip address 10.10.10.1 255.255.255.252
!
interface Vlan10
description User one
ip address 10.0.10.1 255.255.255.0
!
interface Vlan20
description User two
ip address 10.0.20.1 255.255.255.0
!
interface Vlan30
description Users three
ip address 10.0.30.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip access-list standard INTERNET
permit any
!
ip access-list extended DENY-INTERNAL
permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
-----------------------------------------------------
vlan access-map RIZ-VLAN-MAP 10
action drop
match ip address DENY-INTERNAL
vlan access-map RIZ-VLAN-MAP 20
action forward
match ip address INTERNET
vlan filter RIZ-VLAN-MAP vlan-list 10-30
-------------------------------------------------------
In this example, only users on three vlan 10,20, & 30 can access only vlan2, which is facing internet bound vlan and no access between each vlans 10, 20 and 30.
Hope this help.
Thanks
Rizwan Rafeek
01-27-2012 07:52 AM
You can use Policy Based Routing which CAN forcefully send all the traffic coming reaching the vlan interfaces.
Eg:
10.170.10.10 is the Gateway ip
---------------------------------------------------------------------------------------
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 172.16.1.0 0.0.0.255 any
route-map vlan500 permit 10
match ip address 100
set ip next-hop 10.170.10.10
route-map vlan600 permit 10
match ip address 110
set ip next-hop 10.170.10.10
int vlan 500
ip address 192.168.1.1 255.255.255.0
ip policy route-map vlan500
int vlan 600
ip address 172.16.1.1 255.255.255.0
ip policy route-map vlan600
---------------------------------------------------------------------------------------
Hope it helps
Neeraj
01-27-2012 06:28 AM
What is the gateway? router?
01-27-2012 07:02 AM
Could you elaborate why you would want to do this? What is the specific problem you are trying to solve?
01-27-2012 07:32 AM
Sure you can to disable intervlan routing between two vlans.
It is called vlan access-map and follow the example shown below.
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description VLan connected to Firewall for accessing Interent.
ip address 10.10.10.1 255.255.255.252
!
interface Vlan10
description User one
ip address 10.0.10.1 255.255.255.0
!
interface Vlan20
description User two
ip address 10.0.20.1 255.255.255.0
!
interface Vlan30
description Users three
ip address 10.0.30.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip access-list standard INTERNET
permit any
!
ip access-list extended DENY-INTERNAL
permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
-----------------------------------------------------
vlan access-map RIZ-VLAN-MAP 10
action drop
match ip address DENY-INTERNAL
vlan access-map RIZ-VLAN-MAP 20
action forward
match ip address INTERNET
vlan filter RIZ-VLAN-MAP vlan-list 10-30
-------------------------------------------------------
In this example, only users on three vlan 10,20, & 30 can access only vlan2, which is facing internet bound vlan and no access between each vlans 10, 20 and 30.
Hope this help.
Thanks
Rizwan Rafeek
01-27-2012 07:52 AM
Thanks for your answer. Then if i need communication between vlans is it possible to route traffic to the gateway then the gateway routes the traffic back to the router. Basically the gateway is an ASA and i would like to control access with a firewall even between vlans. For design issues i can't place the vlan interfaces directly on the ASA.
Thanks
Etienne
01-27-2012 08:06 AM
Yes you can but this would require additional configuration on the ASA as this would need U-Turning of traffic coming from inside interface back out through the same interface
01-27-2012 08:34 AM
"control access with a firewall even between vlans."
This will complicate your Firewall configuration, as this will require NAT between interface vlans on the firewall for you control access between vlans.
So, stick with controlling intervlans on the your L3 switch itself.
Thanks
Rizwan Rafeek
01-27-2012 08:26 AM
"Then if i need communication between vlans is it possible to route traffic to the gateway then the gateway routes the traffic back to the router."
Sure, you can enable back again, when you want to route intervlan traffic between two vlans.
Vlan filters between vlans is applied by this particular command: "vlan filter RIZ-VLAN-MAP vlan-list 10-30"
In this example all three vlans cannot access each other.
However if you want enable traffic between two vlans then remove the particular vlans from the filter, example below.
vlan filter RIZ-VLAN-MAP vlan-list 10
as you can see now, traffic will flow in between vlan20 and vlan30 (i.e. enable intervlans traffic routing), however vlan10 only can access vlan2 which is facing the firewall for internet access only.
Hope that helps.
Thanks
Rizwan Rafeek
01-27-2012 07:39 AM
Imaging you have two layer 3 vlans as below and you need to prevent intervlan routing between them.
You can use ACL's to serve the purpose.
Example-
!
interface Vlan10
ip address 10.0.1.1 255.255.255.0
!
interface Vlan20
ip address 10.0.0.2 255.255.255.0
!
interface Vlan10
ip address 10.0.1.1 255.255.255.0
ip access-group 102 in
end
Current configuration : 83 bytes
!
interface Vlan20
ip address 10.0.0.1 255.255.255.0
ip access-group 101 in
end
CSC#sh access-list 101
Extended IP access list 101
10 deny ip any 10.0.1.1 0.0.0.255
20 permit ip any any
CSC#sh access-list 102
Extended IP access list 102
10 deny ip any 10.0.0.1 0.0.0.255
20 permit ip any any
01-27-2012 07:52 AM
You can use Policy Based Routing which CAN forcefully send all the traffic coming reaching the vlan interfaces.
Eg:
10.170.10.10 is the Gateway ip
---------------------------------------------------------------------------------------
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 172.16.1.0 0.0.0.255 any
route-map vlan500 permit 10
match ip address 100
set ip next-hop 10.170.10.10
route-map vlan600 permit 10
match ip address 110
set ip next-hop 10.170.10.10
int vlan 500
ip address 192.168.1.1 255.255.255.0
ip policy route-map vlan500
int vlan 600
ip address 172.16.1.1 255.255.255.0
ip policy route-map vlan600
---------------------------------------------------------------------------------------
Hope it helps
Neeraj
01-27-2012 05:16 PM
I think a simple way would have been to use prunning of vlans and they wont be forwarded across trunks.
01-27-2012 08:26 PM
One more option is to block SVI interfaces for particular VLAns. Also having trunk to an ASA. I that case traffic from one VLAN would just be simply switched to the ASA which you can make your default gateway. And it then will do routing likle a router on a stick.
The other thing is that even with SVI enabled - if host sending packet to default gateway within VLAN which is ASA ip address in that VLAN - then switch will not do inter-Vlan routing but switch traffic to ASA based on its MAC. It is ASA then will do L3 routing based on destination ip and forward packet out in correct destination VLAN. Thus if your all hosts correctly set up with ASA ip as default gateway I don't see any reason for changes.
Nik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide