03-29-2013 12:04 PM - edited 03-07-2019 12:32 PM
Hi, I am working for a large campus network. The network has more than 70 VLANS in a Layer 3 Switch(Catalyst 4503). Customer wants to stop intervlan routing between all vlans except 2 vlans. How will i do that? I have also a Firewall (ASA 5520) & a Router (2811) in up of the switch. Besides this, I have run HSRP in Layer 3 Switches for redundancy.
Please suggest me how will i stop intervlan routing between VLANS except 2, with ACL or any other process has?
Solved! Go to Solution.
04-11-2013 10:55 AM
Hello seclucscon,
I just read it one more time and realize that this will not help and entirely block also communication on same subnet as you said earlier, sorry for that
But same concept you can use on L3 interfaces. Apply same ACL on all Vlan interfaces for better maintenance.
ip access-list extended CUSTOMER_ACL
permit ip 10.0.25.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.255.255 10.0.25.0 0.0.0.255
permit ip 10.0.49.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.255.255 10.0.49.0 0.0.0.255
deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
permit ip 10.0.0.0 0.0.255.255 any
If you apply this ACL on all 70 Vlan interfaces, only VLAN 25 and 49 will have access to all hosts an internet, other Vlan will be blocked and will have access only to internet.
Best Regards
Please rate all helpful posts and close solved questions
03-29-2013 03:24 PM
Hello
are you saying you wish to prohibit communication between all these vlans apart from 2 of them.
A few options exist but first can you verify-
Are all vlans propergated throughout the campus plus the hosts for all these vlans or on each switch is there just one vlan and.associated hosts for that vlan
res
Paul
Sent from Cisco Technical Support Android App
03-30-2013 09:07 AM
Thanks Paul. Yes, i want to prohibit communication between all these vlans apart from 2 of them.
Till now all vlans have propegrated throughout the campus & each access switch is there just one vlan and associated hosts for that vlan. There is also a vlan for managing the access switches. All Access switches are connected from Distribution Switches & there is Layer 2 link.
Please help me regarding this. Again thanks.
Regards,
Sadia
03-30-2013 09:35 AM
Hello
okay try and just allow the specifc vlan across the trunk connecting the access switch
int vlan.xx
switchport trunk vlan allowed xxx
res
Paul
Sent from Cisco Technical Support Android App
03-30-2013 10:42 AM
Paul, Do you want to say in Vlan interfaces, i will do this?
I have already done this in interface of core which is connected to distribution by Trunk, These vlans are created in this Distribution Switch:
interface GigabitEthernet2/1
description *******Core Sw 1 to Distribution Sw 1********
switchport trunk allowed vlan 1-11,51-100,111,117-189,191-203,207-4094
switchport mode trunk
But it didnot work, i got ping from alll other vlans which are not included in this allowed vlan.
Regards,
Sadia
03-30-2013 11:13 AM
Hello Sadia,
In this thread is solved same issue as you have. I think it is very elegant solution.
https://supportforums.cisco.com/thread/2128202
Best Regards
Please rate all helpful posts and close solved questions
04-11-2013 06:10 AM
Hi Grana, Thanks a lot for your support. I have already applied your suggested thread, but when configuring the process, i am facing some problems.
Intervlan routing has stopped but cannot ping each other in same network, can get internet only. I need every vlan can communicate between itself bt cant get others. I have also 2 vlans which should be communicate with all vlans. I have about 70 vlans, so it has become really tough.
Please give me suggestion, how can i do this.
04-11-2013 06:46 AM
Hello
I think link which I provided to you is good example how to accomplish what are you trying to do. So please read it for more detail.
Lets say that you have 70 VLANs [Vlan 1 - 70] and prefix for each VLAN is 10.0.xxx.0/24 where xxx is number of VLAN, so VLAN 9 has subnet 10.0.9.0/24.
You want to disable intervlan routing except VLANs 25 and 49 which will have access to everywhere and all VLANs will have access to internet.
Configuration:
ip access-list extended INTERNET
permit ip 10.0.0.0 0.0.255.255 any
ip access-list extended PERMIT-INTERVLAN
permit ip 10.0.25.0 0.0.0.255 any
permit ip 10.0.49.0 0.0.0.255 any
ip access-list extended DENY-INTERVLAN
permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
vlan access-map RIZ-VLAN-MAP 10
action forward
match ip address PERMIT-INTERVLAN
vlan access-map RIZ-VLAN-MAP 20
action drop
match ip address DENY-INTERNAL
vlan access-map RIZ-VLAN-MAP 30
action forward
match ip address INTERNET
vlan filter RIZ-VLAN-MAP vlan-list 1-70
Best Regards
Please rate all helpful posts and close solved questions
04-11-2013 10:55 AM
Hello seclucscon,
I just read it one more time and realize that this will not help and entirely block also communication on same subnet as you said earlier, sorry for that
But same concept you can use on L3 interfaces. Apply same ACL on all Vlan interfaces for better maintenance.
ip access-list extended CUSTOMER_ACL
permit ip 10.0.25.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.255.255 10.0.25.0 0.0.0.255
permit ip 10.0.49.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.255.255 10.0.49.0 0.0.0.255
deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
permit ip 10.0.0.0 0.0.255.255 any
If you apply this ACL on all 70 Vlan interfaces, only VLAN 25 and 49 will have access to all hosts an internet, other Vlan will be blocked and will have access only to internet.
Best Regards
Please rate all helpful posts and close solved questions
04-05-2019 07:29 AM
Hi, Thread which you discussing that link (url) is not working. Can you please post here.
08-03-2019 04:15 AM - edited 08-03-2019 04:16 AM
Hello
Then a RACL's on the SVi's should do it, the logic of the SVI regards access-list is as follows:
OUT = traffic originating from outside vlan
IN = traffic originating from inside the vlan
Example:
Vlan5 - Vlan 10 to be able to speak to each other
all other vlans to be denied communication between each other.
Vlans 1-4,6 -9,11-70
access-list 100 remark allow only non vlan traffic
access-list 100 deny ip 192.168.1.0 0.0.127.255
access-list 100 permit ip any any
int Vlan (1-4,6 -9,11-70)
ip access-group 100 OUT
Vlan 5
access-list 105 remark allow only vlan 10
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 deny ip 192.168.1.0 0.0.127.255
access-list 105 permit ip any any
int vlan 5
ip access-group 105 OUT
Vlan 10
access-list 110 remark allow only vlan 5
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 110 deny ip 192.168.1.0 0.0.127.255
access-list 110 permit ip any any
int vlan 10
ip access-group 110 OUT
03-30-2013 04:48 PM
Have you considered isolating each VLAN to VRFs?
---
Posted by WebUser Atle Ørn Hardarson from Cisco Support Community App
04-11-2013 11:46 AM
Which device is handling the inter vlan routing?
You should be able to accomplish this with private vlans. Putting every vlan in an isolated vlan, the two that need to speak to each other in a community vlan.
Sent from Cisco Technical Support iPhone App
08-03-2019 01:37 AM
I think you need to read about Private Vlans.
you'll spend long time but you'll do it once and for all .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide