Solved: Stop intervlan communication

akshaycjoshi · ‎12-01-2013

In my network I am using Cisco 2921 with 3 GBit interfaces.

G0/0 goes to the internet

G0/1 goes to my squid proxy

G0/2 connects to SG300- 24 port managed GBit switch.

I am using wccp for my caching mechanism.

The switch has 24 ports I have created Vlans 2-24. Port 1 is the truck port, connecting to G0/2 of router and rest 23 ports are in seperate VLans

Port2-Vlan2-172.16.2.0/24, Port3-Vlans3-172.16.3.0/24 etc.

I have created subinterfaces(G0/2.2, G0/2.3 etc) for various vlans for using router on a stick.

What I need is that devices on Vlan1:

Should be able to access internet

Should be able to access Proxy on G0/1 (192.168.1.0/24)

Should NOT be able to access other vlans

I can go ahead and create ACLS but that will be very difficult to manage I think and sometimes I would need to "join" 2 vlans temporarily.

What is the best option for me ?

Thanks !

Jon Marshall · ‎12-01-2013

Akshay

If it just vlan 2 then the simplest solution is -

access-list 101 deny ip 172.16.2.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 101 permit ip any

the above is the shortest acl and it's important to understand what it is doing -

1) it blocks all traffic from vlan 2 to any 172.16.x.0 network. You could have individual lines for each vlan subnet but 172.16.0.0 255.255.0.0 covers all those networks ie. it covers -

172.16.0.0 -> 172.16.255.0

you can narrow it down if you want with -

172.16.0.0 0.0.31.255 which covers networks 172.16.0.0 -> 172.16.31.0.

If you need to vlan 2 to be able to access vlan 4 for example but not any others you would need to rewrite the acl.

2) the second line allows all other traffic from vlan 2 to any other destination which includes 192.168.1.0/24 and the internet.

then you need to apply the acl -

int gi0/2.2

ip address x.x.x.x y.y.y.y

encapsulation dot1q 2

ip access-group 101 in

The above is by far the simplest solution. Using VRFs would require a lot more config. If you still want to use VRFs do a search on Cisco site where there are lots of config examples. Bear in mind you would need to configure VRFs and then additionally start exchanging routes between VRFs.

Jon

View solution in original post

Sandeep Choudhary · ‎12-01-2013

HI Akshay,

You can use PBR:

Here is the example.

https://supportforums.cisco.com/thread/2128202

or u you will need an ACL to prevent vlan 10.10 from talking to vlan 10.20 and vise versa. for example:

access-list 10 deny 10.20.0.0 0.0.255.255

access-list 20 deny 10.10.0.0 0.0.255.255

interface vlan 10

ip access-group 20 out >> will prevent any traffic from 10.20.0.0

interface vlan 20

ip access-group 10 out >> will prevent any traffic fomr 10.10.0.0

Regards

Dont forget to rate helpful posts.

akshaycjoshi · ‎12-01-2013

Hi Sandeep

VRF seems to be another way of doing the same. Can you please let me know the config.

In each VRF routing table it should have:

1. Default route to internet

2. route to G0/1

Can u please help me.

Jon Marshall · ‎12-01-2013

Akshay

Can you clarify exactly what you want. You say -

What I need is that devices on Vlan1:

Should be able to access internet

Should be able to access Proxy on G0/1 (192.168.1.0/24)

Should NOT be able to access other vlans

but you don't have any devices in vlan 1 acccording to your description of how you have allocated the ports.

Note also that using VRFs will not make your config any simpler because you would need to exchange routes between VRFs and i don't think it would be that much easier to manage.

Jon

akshaycjoshi · ‎12-01-2013

Please read it as:

What I need is that devices on Vlan2:

Should be able to access internet

Should be able to access Proxy on G0/1 (192.168.1.0/24)

Should NOT be able to access other vlans

You are saying that it wont make the config easier, can u pls let me know what is the best option for me ?

Also, please post an example of VRF for my scenerio.

Jon Marshall · ‎12-01-2013

Akshay

If it just vlan 2 then the simplest solution is -

access-list 101 deny ip 172.16.2.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 101 permit ip any

the above is the shortest acl and it's important to understand what it is doing -

1) it blocks all traffic from vlan 2 to any 172.16.x.0 network. You could have individual lines for each vlan subnet but 172.16.0.0 255.255.0.0 covers all those networks ie. it covers -

172.16.0.0 -> 172.16.255.0

you can narrow it down if you want with -

172.16.0.0 0.0.31.255 which covers networks 172.16.0.0 -> 172.16.31.0.

If you need to vlan 2 to be able to access vlan 4 for example but not any others you would need to rewrite the acl.

2) the second line allows all other traffic from vlan 2 to any other destination which includes 192.168.1.0/24 and the internet.

then you need to apply the acl -

int gi0/2.2

ip address x.x.x.x y.y.y.y

encapsulation dot1q 2

ip access-group 101 in

The above is by far the simplest solution. Using VRFs would require a lot more config. If you still want to use VRFs do a search on Cisco site where there are lots of config examples. Bear in mind you would need to configure VRFs and then additionally start exchanging routes between VRFs.

Jon

akshaycjoshi · ‎12-01-2013

Agreed.

Thanks a lot.