Skip to main content

VLAN traffic blocking from and to other VLANS Cisco

More
14 years 1 month ago #33580 by dxmen
Thanks Ammar, one more question and taking your example, if I need to block another VLAN for example VLAN3 (192.168.3.0) can I just add the subnet to the same ACL and then apply it to the VLAN3 interface or does it need to be another ACL's for example access-list 200?
code:
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any

applied
interface vlan1
ip access-group 100 in
interface vlan3
ip access-group 100 in

or

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
access-list 200 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 200 permit ip any any

applied
interface vlan1
ip access-group 100 in
interface vlan3
ip access-group 200 in


thanks so much in advance to everybody!
More
14 years 1 month ago #33581 by S0lo
You're welcome dxmen :)

Both ways will work. But the second (i.e two separate ACLs) is more efficient. Because, having only one ACL with two deny statements will force the router to check both statements every time a packet passes through, one of the statements is always redundant, so that's a waste of CPU time.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 1 month ago #33585 by dxmen
Great! thanks so much to all for all your help, now I have everything I need to complete what I need. Cheers!!
Regards
More
13 years 8 months ago #35011 by ToxicAvenger

I have 4 VLANs on a Cisco 4500 L3 switch
VLAN 2
VLAN 3
VLAN 4
VLAN 5
I want to block in / out traffic from VLAN 4 & 5 to VLAN 3, any suggestions? thanks


enjoy

www.ciscosysteme.com/en/US/products/hw/s...186a008013565f.shtml
Time to create page: 0.145 seconds