Restric intervlan routing

Arshad Safrulla · ‎09-28-2019

I have 2 core switches in stp looped topology where more than 100 access switches connecting to them. I have around 75 svi vlans configured in these core switches with hsrp. I have a requirement to block certain vlans communicating with each other. Requirement is to block bidirectional. What would be the best way to proceed? Is it with acls called in svi or vlan maps (VACL). Or any other way. Fyi core switches catalyst 9500 series. Acces sswitches are 9200 switches and dna center is not an option for us as we only have essential licneses.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

paul driver · ‎09-28-2019

Hello

Vlan maps are for filtering traffic within a vlan

Routed acls (RACLs) applied to the l3 interfaces of the vlans (SVIs) would filter traffic between vlans

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Arshad Safrulla · ‎09-28-2019

Hi Paul,

I meant VACL by vlan maps. Sorry for the confusion. Does the above statement still valid for VACL's?

As I understand VACL applies to traffic routed in or out of VLAN as well. Correct me if I am wrong.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

paul driver · ‎09-28-2019

Hello

Arh I see VACLs - I refer to them also as routed acls (as they basically perform the same function) are different from vlan-maps - The later only filter traffic within a vlan if you notice you are not able to specify a direction in the maps (in/out) only match/action statements are allowed unlike routed acls which will allow you to filter inter-vlan traffic

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

balaji.bandi · ‎09-28-2019

You can do VLAN ACL also blocking to communicate with each other.

How is your Core CAt 9500 connected each other? SVL?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arshad Safrulla · ‎09-28-2019

Hi Balaji,

It's connected using L2 trunk, there is no SVL. SVI's created in both switches with HSRP

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

balaji.bandi · ‎09-28-2019

ACL should work with the respected SVI interface for blocking.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎09-28-2019

Hello

restrict inter-vlan communication =Vacl/Racl

restrict host to host traffic within a vlan - vlan-maps

restrict l2 host traffic inbound on specific port - Pacls

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul