Hello,

I'm looking to restrict Inter-VLAN routing through L3 switch (cisco 6500) and wanted to know best possible way to do it.

I used VACL and achieved success to some extent, but my config is making clients take up to 5-6 mins to authenticate IP address from the DNS (bootps).

My VACL config was as follows:

Subnet to restrict is 10.100.15.0 (VLAN 15)

STEP 1: Created extended ACL to allow bootpc/bootps through DNS

ip access-list extended EACL_DNS

permit udp any eq bootps any

permit udp any eq bootpc any

STEP 2: Created standard ACLs to allow only relevant subnet, server VLANs & some IPs from other subnets for printers/scanners etc.

ip access-list standard SACL_VLAN_15

permit 10.100.15.0 0.0.0.255 (the subnet I'm restricting)

permit 10.100.50.0 0.0.0.255 (server VLANs)

permit 10.100.25.45 0.0.0.0 (printer in another VLAN which has to have access in VLAN 15)

STEP 3: Created VLAN access list

vlan access-map VACL_15 10

match ip address EACL_DNS

action forward

vlan access-map VACL_15 20

match ip address SACL_15

action forward

STEP 4: Applying VLAN Access list on VLAN 15

vlan filter VACL_15 vlan-list 15

Though the above works, below is noted:

1. I'm still able to PING 10.100.15.2 (the switch virtual interface) from outside the subnet, which I don't intend to do so. Howeve all cients in the subnet have no connectivity from outside the VLAN 15.

2. As mentioned its taking quiet some time to negotiate with the DNS server at system boot time.

I'm sure there could be other ways of doing it, I'm looking for some tunning in above or best possible way to achieve it without putting in too much load on the core. I've approx. 15 VLANs to segregate and restrict Inter-VLAN routing.

Thank you.

Regards,

Adnan