ohmErnie
asked on
Cisco 3560 Switch - Disable Routing Between two VLANs
Need to prevent communication between VLAN 2 and VLAN3. Both need to be able to route out through VLAN 1.
Current IP route statement is 0.0.0.0 0.0.0.0 10.30.1.1
Network 1: 10.30.1.0/24 (VLAN 1)
Network 2: 10.30.10.0/24 (VLAN 2)
Network 3: 10.30.20.0/24 (VLAN 3)
How do I disable routing between VLAN 2 and VLAN 3? Please provide commands.
Current IP route statement is 0.0.0.0 0.0.0.0 10.30.1.1
Network 1: 10.30.1.0/24 (VLAN 1)
Network 2: 10.30.10.0/24 (VLAN 2)
Network 3: 10.30.20.0/24 (VLAN 3)
How do I disable routing between VLAN 2 and VLAN 3? Please provide commands.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry, mine is wrong
this is what it should have been (but ikalmar already gave the right coding):
conf t
ip access-list e DENYVLAN3
deny ip any 10.30.20.0 0.0.0.255
permit ip any any
ip access-list e DENYVLAN2
deny ip any 10.30.10.0 0.0.0.255
permit ip any any
int vlan2
ip access-group DENYVLAN3 in
int vlan3
ip access-group DENYVLAN2 in
conf t
ip access-list e DENYVLAN3
deny ip any 10.30.20.0 0.0.0.255
permit ip any any
ip access-list e DENYVLAN2
deny ip any 10.30.10.0 0.0.0.255
permit ip any any
int vlan2
ip access-group DENYVLAN3 in
int vlan3
ip access-group DENYVLAN2 in
ASKER
How would I change this to a permit only? Say I only want the network x.x.x.x to have access to 10.30.20.0/24 and deny everything else.
access-list 102 permit ip x.x.x.0 0.0.0.255 10.30.20.0 0.0.0.255
access-list 102 deny ip any any
access-list 102 deny ip any any
the line
access-list 102 deny ip any any
is not needed as it is implicit
and you would need to code also:
int vlan3
ip access-group 102 out
access-list 102 deny ip any any
is not needed as it is implicit
and you would need to code also:
int vlan3
ip access-group 102 out
ASKER
If I have two 3560g switches connected via a SFP GB Module, do I need to create this list on both switches?
On which of the switches are the vlan interfaces defined? Or are you using HSRP? In the latter case you would have to do the job on both switches, otherwise the switch on which the interfaces are defined is sufficient.
please show booth switches config..
access-list 101 deny ip 10.30.10.0 0.0.0.255 10.30.20.0 0.0.0.255
access-list 101 permit ip any any