Solved: How to disable routing between vlans for 2 vlans

etiennevella · ‎01-27-2012

Hi,

I have a layer 3 switch and i enabled IP routing on it. Now i wish that 2 vlan don't route between them and the traffic is automatically forwarded to the gateway. Is this possible?

Thanks

Etienne

rizwanr74 · ‎01-27-2012

Sure you can to disable intervlan routing between two vlans.

It is called vlan access-map and follow the example shown below.

interface Vlan1
no ip address
shutdown
!
interface Vlan2

description VLan connected to Firewall for accessing Interent.
ip address 10.10.10.1 255.255.255.252
!
interface Vlan10

description User one
ip address 10.0.10.1 255.255.255.0
!
interface Vlan20

description User two
ip address 10.0.20.1 255.255.255.0
!
interface Vlan30

description Users three
ip address 10.0.30.1 255.255.255.0
!

ip route 0.0.0.0 0.0.0.0 10.10.10.2

ip access-list standard INTERNET

permit any

!

ip access-list extended DENY-INTERNAL

permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

-----------------------------------------------------

vlan access-map RIZ-VLAN-MAP 10

action drop

match ip address DENY-INTERNAL

vlan access-map RIZ-VLAN-MAP 20

action forward

match ip address INTERNET

vlan filter RIZ-VLAN-MAP vlan-list 10-30

-------------------------------------------------------

In this example, only users on three vlan 10,20, & 30 can access only vlan2, which is facing internet bound vlan and no access between each vlans 10, 20 and 30.

Hope this help.

Thanks

Rizwan Rafeek

View solution in original post

Neeraj Arora · ‎01-27-2012

You can use Policy Based Routing which CAN forcefully send all the traffic coming reaching the vlan interfaces.

Eg:

10.170.10.10 is the Gateway ip

---------------------------------------------------------------------------------------

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 172.16.1.0 0.0.0.255 any

route-map vlan500 permit 10

match ip address 100

set ip next-hop 10.170.10.10

route-map vlan600 permit 10

match ip address 110

set ip next-hop 10.170.10.10

int vlan 500

ip address 192.168.1.1 255.255.255.0

ip policy route-map vlan500

int vlan 600

ip address 172.16.1.1 255.255.255.0

ip policy route-map vlan600

---------------------------------------------------------------------------------------

Hope it helps

Neeraj

View solution in original post

ebarticel · ‎01-27-2012

What is the gateway? router?

Glenn Matthys · ‎01-27-2012

Could you elaborate why you would want to do this? What is the specific problem you are trying to solve?

rizwanr74 · ‎01-27-2012

Sure you can to disable intervlan routing between two vlans.

It is called vlan access-map and follow the example shown below.

interface Vlan1
no ip address
shutdown
!
interface Vlan2

description VLan connected to Firewall for accessing Interent.
ip address 10.10.10.1 255.255.255.252
!
interface Vlan10

description User one
ip address 10.0.10.1 255.255.255.0
!
interface Vlan20

description User two
ip address 10.0.20.1 255.255.255.0
!
interface Vlan30

description Users three
ip address 10.0.30.1 255.255.255.0
!

ip route 0.0.0.0 0.0.0.0 10.10.10.2

ip access-list standard INTERNET

permit any

!

ip access-list extended DENY-INTERNAL

permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

-----------------------------------------------------

vlan access-map RIZ-VLAN-MAP 10

action drop

match ip address DENY-INTERNAL

vlan access-map RIZ-VLAN-MAP 20

action forward

match ip address INTERNET

vlan filter RIZ-VLAN-MAP vlan-list 10-30

-------------------------------------------------------

In this example, only users on three vlan 10,20, & 30 can access only vlan2, which is facing internet bound vlan and no access between each vlans 10, 20 and 30.

Hope this help.

Thanks

Rizwan Rafeek

etiennevella · ‎01-27-2012

Thanks for your answer. Then if i need communication between vlans is it possible to route traffic to the gateway then the gateway routes the traffic back to the router. Basically the gateway is an ASA and i would like to control access with a firewall even between vlans. For design issues i can't place the vlan interfaces directly on the ASA.

Thanks

Etienne

Neeraj Arora · ‎01-27-2012

Yes you can but this would require additional configuration on the ASA as this would need U-Turning of traffic coming from inside interface back out through the same interface

rizwanr74 · ‎01-27-2012

"control access with a firewall even between vlans."

This will complicate your Firewall configuration, as this will require NAT between interface vlans on the firewall for you control access between vlans.

So, stick with controlling intervlans on the your L3 switch itself.

Thanks

Rizwan Rafeek

rizwanr74 · ‎01-27-2012

"Then if i need communication between vlans is it possible to route traffic to the gateway then the gateway routes the traffic back to the router."

Sure, you can enable back again, when you want to route intervlan traffic between two vlans.

Vlan filters between vlans is applied by this particular command: "vlan filter RIZ-VLAN-MAP vlan-list 10-30"

In this example all three vlans cannot access each other.

However if you want enable traffic between two vlans then remove the particular vlans from the filter, example below.

vlan filter RIZ-VLAN-MAP vlan-list 10

as you can see now, traffic will flow in between vlan20 and vlan30 (i.e. enable intervlans traffic routing), however vlan10 only can access vlan2 which is facing the firewall for internet access only.

Hope that helps.

Thanks

Rizwan Rafeek

Vishnu Asok · ‎01-27-2012

Imaging you have two layer 3 vlans as below and you need to prevent intervlan routing between them.

You can use ACL's to serve the purpose.

Example-

!

interface Vlan10

ip address 10.0.1.1 255.255.255.0

!

interface Vlan20

ip address 10.0.0.2 255.255.255.0

!

interface Vlan10

ip address 10.0.1.1 255.255.255.0

ip access-group 102 in

end

Current configuration : 83 bytes

!

interface Vlan20

ip address 10.0.0.1 255.255.255.0

ip access-group 101 in

end

CSC#sh access-list 101

Extended IP access list 101

10 deny ip any 10.0.1.1 0.0.0.255

20 permit ip any any

CSC#sh access-list 102

Extended IP access list 102

10 deny ip any 10.0.0.1 0.0.0.255

20 permit ip any any

Neeraj Arora · ‎01-27-2012

You can use Policy Based Routing which CAN forcefully send all the traffic coming reaching the vlan interfaces.

Eg:

10.170.10.10 is the Gateway ip

---------------------------------------------------------------------------------------

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 172.16.1.0 0.0.0.255 any

route-map vlan500 permit 10

match ip address 100

set ip next-hop 10.170.10.10

route-map vlan600 permit 10

match ip address 110

set ip next-hop 10.170.10.10

int vlan 500

ip address 192.168.1.1 255.255.255.0

ip policy route-map vlan500

int vlan 600

ip address 172.16.1.1 255.255.255.0

ip policy route-map vlan600

---------------------------------------------------------------------------------------

Hope it helps

Neeraj

ebarticel · ‎01-27-2012

I think a simple way would have been to use prunning of vlans and they wont be forwarded across trunks.

nkarpysh · ‎01-27-2012

One more option is to block SVI interfaces for particular VLAns. Also having trunk to an ASA. I that case traffic from one VLAN would just be simply switched to the ASA which you can make your default gateway. And it then will do routing likle a router on a stick.

The other thing is that even with SVI enabled - if host sending packet to default gateway within VLAN which is ASA ip address in that VLAN - then switch will not do inter-Vlan routing but switch traffic to ASA based on its MAC. It is ASA then will do L3 routing based on destination ip and forward packet out in correct destination VLAN. Thus if your all hosts correctly set up with ASA ip as default gateway I don't see any reason for changes.

Nik

HTH,
Niko