07-07-2018 05:48 PM - edited 03-08-2019 03:36 PM
I have 4 VLANs:
10 - Wired Clients
11 - Wired Infrastructure
20 - Wireless Clients
21 - Wireless Guests
I need 21 to be isolated, and 10, 11, and 20 need to be able to speak with one another. All other traffic must exit the system on G0/48 which is VLAN 10. I think I will convert this however to VLAN 1 and make VLAN 1 be the full uplink.
Thanks,
Sean
PS:
IOS 15.X.X
2960G-TC-L
07-07-2018 08:20 PM
07-07-2018 08:21 PM
Its Layer 3 and port 48 is just an upstream to a generic router so I have to route and manage these VLANs inside of the switch.
07-07-2018 08:28 PM
07-07-2018 08:29 PM
But how would I then allow VLAN 10 to speak with 20 and could you give an example of the ACL?
07-07-2018 11:06 PM
Hi,
I am sharing an example where communication is not allowed between VLAN 2 and VLAN 3.
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
!
access-list 102 permit ip any any
!
vlan access-map test 10
match ip address 101
action drop
!
vlan access-map test 20
match ip address 102
action forward
!
vlan filter test vlan-list 2
! (ACL applied on VLAN 2)
Regards,
Deepak Kumar
07-07-2018 11:15 PM
So that example right there would allow for VLAN 2 & 3 to speak to anything anywhere, but 20 is restricted?
07-08-2018 04:11 AM - edited 07-09-2018 02:34 AM
Hi
No.. In the above example, ACL 101 has been dropped in the VLAN access map test (10). Means any Traffic between LAN 2 and Lan 3 are blocked in access map.
Final result: VLAN 2 and VLAN 3 will not communicate with each other. All other traffic will flow without any restriction.
Regards,
Deepak Kumar
07-08-2018 04:49 AM
There are different solutions.
What @Deepak Kumar said is one of them.
There is also R-ACL that will looks like:
Let's assume your vlan 21 is 192.168.21.0/24 and your gateway to reach internet is 192.168.10.1.
Ip access-list extended GUEST
permit ip 192.168.21.0 0.0.0.255 host 192.168.10.1
deny ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255
Deny ip 192.168.21.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.21.0 0.0.0.255 any
Interface vlan 21
ip access-group GUEST IN
This will deny guest to reach any rfc1918 subnets and allow to access anything else (internet)
07-08-2018 11:37 AM
So, does that mean at this moment that all VLANs can talk to one another?
07-09-2018 10:06 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide