I would like to ask you if it's possibile to block routing between some Vlan for just once of them.
Maybe I can explain better:
I've got a Cisco 6509 with 4 configured vlan interfaces
Int Vlan 10 10.10.1.0/24
Int Vlan 20 10.10.2.0/24
Int Vlan 30 10.10.3.0/24
Int Vlan 40 10.10.4.0/24
Vlan "10" is the phone voip Vlan and it must not talk with the others Vlan.
The others Vlan can comunicate normally except with Vlan "10".
Pratically Vlan "10" needs to be isolated from the others.
This equirement comes becouse Vlan 10 is wireless and has the WEP key encryption (very weak protocol). Some Phone couldn't support the WPA2 key and I need to avoid an unauthorized external client, cracking the WEP key and connecting to this WiFi, could have free access to the others Vlan.
Thanks in advance
You can put an acl on the vlan 10 interface:
access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 140 deny ip 10.10.4.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 140 permit ip any any
int vlan 40
ip access-group 140 in
If you wanted to get more granular, you could also do this across your other interfaces like:
access-list 110 deny ip 10.10.1.0 0.0.0.255 10.10.40.0 0.0.0.255
access-list 110 permit ip any any
int vlan 10
ip access-group 110 in
Do this for the other 20 and 30 vlans...
You have two options here:
1. You can configure ACL and put it on VLAN 10 interface:
ip access-list extended 101
deny ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
deny ip 10.10.1.0 255.255.255.0 10.10.3.0 255.255.255.0
deny ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.0
permit ip any any
int vlan 10
ip access-group 101 in
2. Or configure VACL on 20,30,40 VLANs:
ip access-list extended 102
permit ip 10.10.0.0 255.255.0.0 10.10.1.0 255.255.255.0
vlan access-map VLAN_10 10
match ip address 102
vlan access-map VLAN_10 20
vlan filter VLAN_10 vlan-list 20,30,40
And verify it:
sh vlan access-map
Please rate helpful posts.
thanks for your answers.
I would like to ask you some questions:
1. In this way the WWW access will be blocked too?
the Gig0/1 on the 6500 device is connected to a FW with a point-to-point.
int Vlan 100
desc --- link inside FW
ip add 10.10.100.2 255.255.255.252
ip route 0.0.0.0 0.0.0.0 10.10.100.1
2. Using these ACL may result to some loss of performance for the phones?
3. Is the a way to inhibit the Vlan routing without using the ACL? This becouse the number of the Vlan will increase periodically.
1. Yes, in this way all IP and WWW communication between VLAN 10 <--> VLAN 20/30/40 will be blocked.
2. I don't think that there will be perfomance loss, I have on my network 3750 with a lot of ACL configured between VLANs and it's fine.
3. For this I think you can build separate routing tables so that different sets of SVI interfaces route between them you should use VRF lite.