Inhibit vlan routing

fabioragazzo · ‎11-09-2012

Hi all,

I would like to ask you if it's possibile to block routing between some Vlan for just once of them.

Maybe I can explain better:

I've got a Cisco 6509 with 4 configured vlan interfaces

Int Vlan 10 10.10.1.0/24

Int Vlan 20 10.10.2.0/24

Int Vlan 30 10.10.3.0/24

Int Vlan 40 10.10.4.0/24

Vlan "10" is the phone voip Vlan and it must not talk with the others Vlan.

The others Vlan can comunicate normally except with Vlan "10".

Pratically Vlan "10" needs to be isolated from the others.

This equirement comes becouse Vlan 10 is wireless and has the WEP key encryption (very weak protocol). Some Phone couldn't support the WPA2 key and I need to avoid an unauthorized external client, cracking the WEP key and connecting to this WiFi, could have free access to the others Vlan.

Thanks in advance

Bye Fabio.

John Blakley · ‎11-09-2012

You can put an acl on the vlan 10 interface:

access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.3.0 0.0.0.255

access-list 140 permit ip any any

int vlan 40

ip access-group 140 in

If you wanted to get more granular, you could also do this across your other interfaces like:

access-list 110 deny ip 10.10.1.0 0.0.0.255 10.10.40.0 0.0.0.255

access-list 110 permit ip any any

int vlan 10

ip access-group 110 in

Do this for the other 20 and 30 vlans...

HTH,

John

HTH, John *** Please rate all useful posts ***

Abzal · ‎11-09-2012

Hi,

You have two options here:

1. You can configure ACL and put it on VLAN 10 interface:

ip access-list extended 101

deny ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

deny ip 10.10.1.0 255.255.255.0 10.10.3.0 255.255.255.0

deny ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.0

permit ip any any

int vlan 10

ip access-group 101 in

2. Or configure VACL on 20,30,40 VLANs:

ip access-list extended 102

permit ip 10.10.0.0 255.255.0.0 10.10.1.0 255.255.255.0

vlan access-map VLAN_10 10

match ip address 102

action drop

vlan access-map VLAN_10 20

action forward

vlan filter VLAN_10 vlan-list 20,30,40

And verify it:

sh vlan access-map

Please rate helpful posts.

Best regards,
Abzal

fabioragazzo · ‎11-09-2012

Hi all,

thanks for your answers.

I would like to ask you some questions:

1. In this way the WWW access will be blocked too?

the Gig0/1 on the 6500 device is connected to a FW with a point-to-point.

configuration 6500

......

int Vlan 100

desc --- link inside FW

ip add 10.10.100.2 255.255.255.252

.....

ip route 0.0.0.0 0.0.0.0 10.10.100.1

......

2. Using these ACL may result to some loss of performance for the phones?

3. Is the a way to inhibit the Vlan routing without using the ACL? This becouse the number of the Vlan will increase periodically.

Thanks.

Bye Fabio.

Abzal · ‎11-09-2012

1. Yes, in this way all IP and WWW communication between VLAN 10 <--> VLAN 20/30/40 will be blocked.

2. I don't think that there will be perfomance loss, I have on my network 3750 with a lot of ACL configured between VLANs and it's fine.

3. For this I think you can build separate routing tables so that different sets of SVI interfaces route between them you should use VRF lite.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/15.02SG/configuration/guide/vrf.html

Best regards,
Abzal

fabioragazzo · ‎11-14-2012

Hi all,

thanks for your answers.