Re: VACL to disallow Intravlan Host Communication

FLOPACES11 · ‎03-07-2018

We are using Intervlan routing and no routing protocols. All departments sit on their own VLAN. Our core router is a WS-C4500x-32 that handles all routing for our environment. I am having huge trouble successfully constructing an VACL to allow hosts to get out to the internet but not communicate with each other.. Is this even possible without using private vlans?? If so, please help me understand what i am doing wrong.. The VACL either blocks all traffic or none.

ip access-list extended NO-VLAN2 10

permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

vlan access-map NO-VLAN2 10

action drop

match ip address NO-VLAN2

vlan access-map NO-VLAN2 20

action forward

vlan filter NO-VLAN2 vlan-list 2

acampbell · ‎03-07-2018

Hi,

Lets say VLAN 100 has a port set in it that that conncets to the internet.
Vlan 10 is one group of internal customers
Vlan 20 is a 2nd set of internal customers

Vlan 10 allowed to internet but not vlan 20
Vlan 20 allowed to internet but not vlan 10

Something like this just using extended IP access lists should work

!
int vlan 100
desc INTERNET ACCESS VLAN
ip address 10.100.100.2 255.255.255.0
ip access-group 110 in
!
ip route 0.0.0.0 0.0.0.0 10.100.100.1 name TO-OUR-INTERNET-ROUTER
!
!
!
access-list 110 deny ip 10.100.10.0 0.0.0.255 10.100.20.0 0.0.0.255
access-list 110 permit ip any any
!
!
access-list 120 deny ip 10.100.20.0 0.0.0.255 10.100.10.0 0.0.0.255
access-list 120 permit ip any any
!
!
int vlan 10
desc CUSTOMER GROUP 1-VLAN 10
ip address 10.100.10.1 255.255.255.0
!
!
int vlan 20
desc CUSTOMER GROUP 2-VLAN 20
ip address 10.100.20.1 255.255.255.0
ip access-group 120 in
!

Hope this helps

Regards, Alex. Please rate useful posts.