VLAN Security on LAN

I am designing a new LAN setup and am new to VLANs.  I understand that VLANs reduce broadcast traffic and segregate the LAN into different segments/subnets.  I have 4 VLANs (10, 20, 30 and 40).  I have a Cisco router out to my ISP.  To get all 4 VLANs to use the Internet,  I have created subinterfaces on the LAN side of the outbound router.  This effectively allows all four VLANs to access the Internet via the outbound router, but allows the VLANs to see each other.  I can ping from VLAN to VLAN.  There no longer seems to be any segregation.  

How do I create a LAN that uses a shared Internet connection and maintain the integrity/security of each VLAN?

I apologize if this is a super-simple question.
CipherUserAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
VLAN's provide layer 2 segregation.  Being able to ping between VLANs shows that you have layer 3 connectivity.

You would use ACL's (Access Control List) to block inter-VLAN traffic.

Assuming your four VLANs have IP addresses of 192.168.10.0, 192.168.20.0, 192.168.30.0 and 192.168.40.0, you could do the following.

access-list 1 deny 192.168.0.0 0.0.255.25
access-list 1 permit any
!
int f0/1.10
 ip access-group 1 out
int f0/1.20
 ip access-group 1 out
int f0/1.30
 ip access-group 1 out
int f0/1.40
 ip access-group 1 out

Open in new window

With this in place, there will be no communications between VLANs 10, 20, 30 and 40.
There are other ways to write the ACL to accomplish your goal as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CipherUserAuthor Commented:
Don,

Great answer.  Thanks for the prompt reply.  I will award the points to your answer, but was wondering if you could briefly explain what the commands you are suggesting actually do.

Thanks again Don!
0
Don JohnstonInstructorCommented:
interface f0/1.10
 ip access-group 1 out

Open in new window

Any traffic leaving this interface must be permitted by a line in ACL 1. If it is not, then, the traffic is discarded.

access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit any

Open in new window

When testing traffic against this ACL, first the router will attempt to match the traffic to the first line of the ACL.  

In this case traffic coming from 192.168.anything.anything will be considered a match.  If it's a match, then the packet is discarded.

If the traffic is coming from a non-192.168 address, then it doesn't match and the router compares it to the next line.

Which says if it's coming from anywhere, it's a match and that means it is permitted.
0
CipherUserAuthor Commented:
Thanks Don!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.