03-08-2024 09:31 PM
Scenario:
I have one router, 3 switches, 6 computers and 6 vlans.
vlan 10: 192.168.10.1
vlan 20: 192.168.20.1
vlan 30: 192.168.30.1
vlan 40: 192.168.40.1
vlan 50: 192.168.50.1
vlan 60: 192.168.60.1
I need vlan 10 and 20 to communicate, as well as vlan 50 and 60 to communicate. I managed to do this with trunk allowed and encapsulation but vlan 10 and 20 can see vlan 50 and 60. How do I prevent them from seeing each other and only see the ones I mentioned above?
if you could help me, I would appreciate it very much.
Solved! Go to Solution.
03-08-2024 10:20 PM - edited 03-08-2024 10:21 PM
Hello 2309178,
Assuming that you have configured inter-vlan configuration correctly...,You can implement Access Control Lists(ACL's) to block the communication between vlans...I recommend an Extended Named ACL. ACL is stateless, that's the reason, if you apply ACL on a router, then you would also need to allow the return traffic, unless you configure CBAC (ip inspect).
Here is the sample configuration:
ip access-list extended Allow_Vlan
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
deny ip any any
Finally apply the acl on interface level.. I think..There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.
Best regards
******* If This Helps, Please Rate *******
03-09-2024 06:22 PM
you have to apply the acl under interface at inbound direction....
Interface Gig0/0
ip access-group Allow_Vlan in
Please check...whether you have implemented acl in or out...if you give incorrect direction...acl won't take any effect
Best regards
******* If This Helps, Please Rate *******
03-08-2024 10:20 PM - edited 03-08-2024 10:21 PM
Hello 2309178,
Assuming that you have configured inter-vlan configuration correctly...,You can implement Access Control Lists(ACL's) to block the communication between vlans...I recommend an Extended Named ACL. ACL is stateless, that's the reason, if you apply ACL on a router, then you would also need to allow the return traffic, unless you configure CBAC (ip inspect).
Here is the sample configuration:
ip access-list extended Allow_Vlan
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
deny ip any any
Finally apply the acl on interface level.. I think..There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.
Best regards
******* If This Helps, Please Rate *******
03-09-2024 07:17 AM
03-09-2024 06:22 PM
you have to apply the acl under interface at inbound direction....
Interface Gig0/0
ip access-group Allow_Vlan in
Please check...whether you have implemented acl in or out...if you give incorrect direction...acl won't take any effect
Best regards
******* If This Helps, Please Rate *******
03-09-2024 04:59 AM
As @Gopinath_Pigili already describes, you can use extended ACLs on the VLAN L3 interfaces to control what traffic is allowed to enter and/or exit your subnets. Such ACLs, can be very specific to IP and ports being allowed or denied.
As he also mentioned, firewall features (if supported) provide additional options.
If your router supports NBAR, you can also have further/deeper packet analysis.
If your router supports VRF, you would also have the option to create virtual L3 domains (sort of the L3 version of L2 VLANs).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide