Solved: Limiting Inter-vlan routing

Bobby P · ‎10-18-2018

WE have been working on setting up vlans to divide our network up. On our Catalyst 9300 switch I have 5 vlans created and 5 SVI for routing between vlans. All our endpoints are connected to Meraki switches. The Director of IT wants to control at the port level which vlans a endpoint can connect to.

Example: van 101 is where management access is setup to connect to different endpoints like our SANS web gui or Switch web gui's.

Vlan 110 is for servers, 120 printers, and 130 desktops. On the port the endpoint is connected to such as a PC he wants to allos access to vlan 110, 120, and 130 for most users. For admins they would also need access to 101.

How can we control inter-vlan access at the switch port

paul driver · ‎10-18-2018

Hello

So you wish for users in vlan 110,120,130 not to be able to access vlan 101, but allow vlan 101 to be able to access vlan 110,120,130? - If so you could apply a RACL on vlan 101 to allow tcp established connections into vlan 101 but deny any tcp initiation from the other vlans

Ip access-list extended Vl101

Permit tcp 110.110.110.0 0.0.0.255 any established

deny tcp 110.110.110.0 0.0.0.255 any

Permit tcp 120.120.120.0 0.0.0.255 any established

deny tcp 120.120.120.0 0.0.0.255 any

Permit tcp 130.130.130.0 0.0.0.255 any established

deny tcp 130.130.130.0 0.0.0.255 any
permit ip any any

int vlan 101

Ip access-group Vl101 out

Note -this will only negate TCP not UDP

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎10-18-2018