cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr
354
Views
10
Helpful
5
Replies
Highlighted
Beginner

Inhibit vlan routing

Hi all,

I would like to ask you if it's possibile to block routing between some Vlan for just once of them.

Maybe I can explain better:

I've got a Cisco 6509 with 4 configured vlan interfaces

Int Vlan 10  10.10.1.0/24

Int Vlan 20  10.10.2.0/24

Int Vlan 30  10.10.3.0/24

Int Vlan 40  10.10.4.0/24

Vlan "10" is the phone voip Vlan and it must not talk with the others Vlan.

The others Vlan can comunicate normally except with Vlan "10".

Pratically Vlan "10" needs to be isolated from the others.

This equirement comes becouse Vlan 10 is wireless and has the WEP key encryption (very weak protocol). Some Phone couldn't support the WPA2 key and I need to avoid an unauthorized external client, cracking the WEP key and connecting to this WiFi, could have free access to the others Vlan.

Thanks in advance

Bye Fabio.

Everyone's tags (4)
5 REPLIES 5
Highlighted
Advisor

Inhibit vlan routing

You can put an acl on the vlan 10 interface:

access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.3.0 0.0.0.255

access-list 140 permit ip any any

int vlan 40

ip access-group 140 in

If you wanted to get more granular, you could also do this across your other interfaces like:

access-list 110 deny ip 10.10.1.0 0.0.0.255 10.10.40.0 0.0.0.255

access-list 110 permit ip any any

int vlan 10

ip access-group 110 in

Do this for the other 20 and 30 vlans...

HTH,

John

HTH, John *** Please rate all useful posts ***
Highlighted
Rising star

Re: Inhibit vlan routing

Hi,

You have two options here:

1. You can configure ACL and put it on VLAN 10 interface:

ip access-list extended 101

deny ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

deny ip 10.10.1.0 255.255.255.0 10.10.3.0 255.255.255.0

deny ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.0

permit ip any any

int vlan 10

ip access-group 101 in

2. Or configure VACL on 20,30,40 VLANs:

ip access-list extended 102

permit ip 10.10.0.0 255.255.0.0 10.10.1.0 255.255.255.0

vlan access-map VLAN_10 10

match ip address 102

action drop

vlan access-map VLAN_10 20

action forward

vlan filter VLAN_10 vlan-list 20,30,40

And verify it:

sh vlan access-map

Please rate helpful posts.

Best regards,
Abzal
Highlighted
Beginner

Inhibit vlan routing

Hi all,

thanks for your answers.

I would like to ask you some questions:

1. In this way the WWW access will be blocked too?

the Gig0/1 on the 6500 device is connected to a FW with a point-to-point.

configuration 6500

......

int Vlan 100

desc --- link inside FW

ip add 10.10.100.2 255.255.255.252

.....

ip route 0.0.0.0 0.0.0.0 10.10.100.1

......

2. Using these ACL may result to some loss of performance for the phones?

3. Is the a way to inhibit the Vlan routing without using the ACL? This becouse the number of the Vlan will increase periodically.

Thanks.

Bye Fabio.

Highlighted
Rising star

Inhibit vlan routing

1. Yes, in this way all IP and WWW communication between VLAN 10 <--> VLAN 20/30/40 will be blocked.

2. I don't think that there will be perfomance loss, I have on my  network 3750 with a lot of ACL configured between VLANs and it's fine.

3.  For this I think you can build separate routing tables so that  different sets of SVI interfaces route between them you should use VRF  lite.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/15.02SG/configuration/guide/vrf.html

Best regards,
Abzal
Highlighted
Beginner

Inhibit vlan routing

Hi all,

thanks for your answers.

CreatePlease to create content
Content for Community-Ad