Solved: Vlan configuration

muraripadhan · ‎07-01-2017

sir

how i will stop communication between only two vlans

Suppose I have 4 vlans

Vlan 10 (IP Address - 192.168.1.0/24)

Vlan 20 (IP Address - 192.168.2.0/24)

Vlan 30 (IP Address - 192.168.3.0/24)

Vlan 40 (IP Address - 192.168.4.0/24)

Sir i want to stop vlan 10 and vlan 30 communication.

But vlan 20 will communicate with Vlan 10, Vlan 30 & Vlan 40

vlan 40 will communicate with Vlan 10, Vlan 30 & Vlan 20

vlan 10 will communicate with Vlan 20, & Vlan 40

vlan 30 will communicate with Vlan 20 & Vlan 40

Francesco Molino · ‎07-01-2017

Hi

To restrist communication between vlan 10 and vlan 30, you can do it in multiple ways like vrf, acls.

In your post, it seems to be a simple infrastructure without vrfs then I recommend using acls.

Below the configuration:

ip access-list extended filter-vlan30
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

!

ip access-list extended filter-vlan10
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip any any

!

interface vlan 10

ip access-group filter-vlan10 in

!

interface vlan 30

ip access-group filter-vlan30 in

!

These acls will deny communication (no matter which tcp and/or udp ports between vlan 10 and vlan 30.

The first statement on each acl in to deny hosts from the vlan to reach the other vlan. The 2nd is to allow everything else.

If you want to deny the traffic between the SVI on the switch itself, you'll need to add the following line on acls:

ip access-list extended filter-vlan30
20 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!

ip access-list extended filter-vlan10
20 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎07-01-2017

Hi