Showing results for 
Search instead for 
Did you mean: 

Routing VLANS without inter-vlan connectivity?




I am trying to add a public access point to a network. The access point will be open and I need it to be on a separate vlan than the rest of the network. Before this the network had no need for vlans. So there was no vlan configuration.


So I set ports fa0/2-23 on the switch to VLAN 10. The public access point is on port fa0/24 and I have set that port to vlan 20. This works as expected, every device (on this switch) on vlan 10 can ping eachother, but vlan 10 can't ping devices on the access point (vlan 20) and vice versa which is good. Thats what I want.


But here is where I am confused. The switch is connected to a router with port fa0/1. So I set the fa0/1 as a trunk port and configured it to accept all vlans. I set the native vlan as vlan 10 for the trunk port.


So now vlan 10 can ping the router but vlan 20 can't (both vlans are in the same subnet). I need both vlans to be able to ping the router and reach the internet.
Whichever vlan I set as the native on the trunk can ping just fine, and any other vlan can't.

Of course I can set up inter-vlan routing on the router with subinterfaces and both vlans can ping the router just fine, but this allows the vlans to also ping eachother. Im trying to keep "public" vlan 20 from being able to ping any devices on the "internal" vlan 10. So "inter" vlan routing is not really what I want.


The LAN is on subnet 172.16.7.x /26, im trying to keep both vlans on the same subnet.

Is there not a way to route both vlans without inter-vlan connectivity? 


Thanks in advance


1 Reply 1

Bilal Nawaz

Do inter-vlan routing, but on the public interface on the router, put an ACL there for input.

Deny all RFC1918 address space apart from things like DHCP, DNS, and then permit everything else.

ip access-list extended BLK-RFC1918

#[ LOCK DOWN TO THINGS LIKE DHCP, DNS] Permitted IP should be the respective servers

1 permit ip any host 

10 deny ip any

20 deny ip any

30 deny ip any

100 permit ip any any


interface gix/x.20

ip access-group BLK-RFC1918 in

If you want to block your other vlans going to this public vlan the just do an opposite ACL and apply the ACL on same interface but outbound.


Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers