Thanks Paul. Yes, i want to prohibit communication between all these vlans apart from 2 of them.

Till now all vlans have propegrated throughout the campus & each access switch is there just one vlan and associated hosts for that vlan. There is also a vlan for managing the access switches. All Access switches are connected from Distribution Switches & there is Layer 2 link.

Please help me regarding this. Again thanks.

Regards,

Sadia

Paul, Do you want to say in Vlan interfaces, i will do this? 

I have already done this in interface of core which is connected to distribution by Trunk, These vlans are created in this Distribution Switch:

interface GigabitEthernet2/1

description *******Core Sw 1 to Distribution Sw 1********

switchport trunk allowed vlan 1-11,51-100,111,117-189,191-203,207-4094

switchport mode trunk

But it didnot work, i got ping from alll other vlans which are not included in this allowed vlan.

Regards,

Sadia

Hello Sadia,

In this thread is solved same issue as you have. I think it is very elegant solution.

https://supportforums.cisco.com/thread/2128202

Best Regards

Please rate all helpful posts and close solved questions

Hi Grana, Thanks a lot for your support. I have already applied your suggested thread, but when configuring the process, i am facing some problems.

Intervlan routing has stopped but cannot ping each other in same network, can get internet only. I need every vlan can communicate between itself bt cant get  others. I have also 2 vlans which should be communicate with all vlans. I have about 70 vlans, so it has become really tough.

Please give me suggestion, how can i do this.

Hello

I think link which I provided to you is good example how to accomplish what are you trying to do. So please read it for more detail.

Lets say that you have 70 VLANs [Vlan 1 - 70] and prefix for each VLAN is 10.0.xxx.0/24 where xxx is number of VLAN, so VLAN 9 has subnet 10.0.9.0/24.

You want to disable intervlan routing except VLANs 25 and 49 which will have access to everywhere and all VLANs will have access to internet.

Configuration:

ip access-list extended INTERNET

permit ip 10.0.0.0 0.0.255.255 any

ip access-list extended PERMIT-INTERVLAN

permit ip 10.0.25.0 0.0.0.255 any
permit ip 10.0.49.0 0.0.0.255 any

ip access-list extended DENY-INTERVLAN

permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

vlan access-map RIZ-VLAN-MAP 10

action forward

match ip address PERMIT-INTERVLAN

vlan access-map RIZ-VLAN-MAP 20

action drop

match ip address DENY-INTERNAL

vlan access-map RIZ-VLAN-MAP 30

action forward

match ip address INTERNET

vlan filter RIZ-VLAN-MAP vlan-list 1-70

Best Regards

Please rate all helpful posts and close solved questions

Hi,  Thread which you discussing that link (url) is not working. Can you please post here.

Hello

Then a RACL's on the SVi's should do it, the logic of the SVI regards access-list  is as follows:

OUT = traffic originating from outside vlan 
IN = traffic originating from inside the vlan

Example: 

Vlan5 - Vlan 10 to be able to speak to each other

all other vlans to be denied communication between each other.

Vlans 1-4,6 -9,11-70

access-list 100 remark  allow only non vlan traffic
access-list 100 deny ip 192.168.1.0 0.0.127.255
access-list 100 permit ip any any

int Vlan (1-4,6 -9,11-70)
ip access-group 100 OUT

Vlan 5

access-list 105 remark  allow only vlan 10
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 deny ip 192.168.1.0 0.0.127.255
access-list 105  permit ip any any

int vlan 5
ip access-group 105 OUT

Vlan 10

access-list 110 remark  allow only vlan 5
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 110 deny ip 192.168.1.0 0.0.127.255
access-list 110  permit ip any any

int vlan 10
ip access-group 110 OUT

I think you need to read about Private Vlans.

you'll spend long time but you'll do it once and for all .