cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
612
Views
0
Helpful
10
Replies
seanmitch
Beginner

InterVLAN Routing but only between certain VLANs

I have 4 VLANs:

10 - Wired Clients

11 - Wired Infrastructure

20 - Wireless Clients

21 - Wireless Guests

 

I need 21 to be isolated, and 10, 11, and 20 need to be able to speak with one another. All other traffic must exit the system on G0/48 which is VLAN 10. I think I will convert this however to VLAN 1 and make VLAN 1 be the full uplink.

 

Thanks,

Sean

 

PS:

IOS 15.X.X

2960G-TC-L

10 REPLIES 10
Francesco Molino
VIP Mentor

Hi

You can achieve this in multiple ways. The simplest one would vrf for this vlan 21.
Or you can use an acl to filter communications between this vlan and others.

Can you share some details on how upstream device is connected to this core? Is it layer 2 or layer 3?
What type of service is the upstream device?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Its Layer 3 and port 48 is just an upstream to a generic router so I have to route and manage these VLANs inside of the switch.

Ok then do ACLs.
Your acl you be:
- allow vlan 21 to your next hop, dns and/or dhcp if needed (depending which device is assigning ip for guest and who's acting as dns servers for guest vlan).
- deny rfc1918 subnets (all privates)
- allow any for internet

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

But how would I then allow VLAN 10 to speak with 20 and could you give an example of the ACL?

Hi,

I am sharing an example where communication is not allowed between VLAN 2 and VLAN 3.

 

interface Vlan2
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255  
!
access-list 102 permit ip any any
!
vlan access-map test 10
 match ip address 101
 action drop

!
vlan access-map test 20
 match ip address 102
 action forward
!
vlan filter test vlan-list 2

! (ACL applied on VLAN 2)

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

So that example right there would allow for VLAN 2 & 3 to speak to anything anywhere, but 20 is restricted?

Hi

No.. In the above example, ACL 101 has been dropped in the VLAN access map test (10). Means any Traffic between LAN 2 and Lan 3 are blocked in access map.

 

Final result: VLAN 2 and VLAN 3 will not communicate with each other. All other traffic will flow without any restriction. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

There are different solutions.

What @Deepak Kumar said is one of them.

 

There is also R-ACL that will looks like:

Let's assume your vlan 21 is 192.168.21.0/24 and your gateway to reach internet is 192.168.10.1.

 

Ip access-list extended GUEST

 permit ip 192.168.21.0 0.0.0.255 host 192.168.10.1

 deny ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255

 Deny ip 192.168.21.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255

 permit ip 192.168.21.0 0.0.0.255 any

 

Interface vlan 21

  ip access-group GUEST IN

 

This will deny guest to reach any rfc1918 subnets and allow to access anything else (internet)


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

So, does that mean at this moment that all VLANs can talk to one another?

Yes except the guest as you wanted to not being able to communicate with others

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question