I have two vlans configured through a multilayer switch and one router with DHCP service. I configured trunk and access ports as shown in the image below.
I need to block traffic between vlan's.
.gif shows that my network currently allow send messages between Vlan10 and Vlan20, but they shouldn't see each other.
How can I block that traffic? Already configured subinterfaces and encap dot1q [vlan number].
Thank you for your help!!
Cisco Packet Tracer File: dropbox.com/s/y7cplt8l6zpv303/v2.pkt?dl=0
Commands used in another network with the same purpose: docs.google.com/document/d/120PfwrPki67Z2gMxoCz8Z6SidulgLCiUVLU-NqVBq3w/edit#
** ROUTER CONFIG
ip dhcp pool 10
network 172.16.0.0 255.255.255.128
default-router 172.16.0.1
ip dhcp pool 20
network 172.17.0.0 255.255.255.128
default-router 172.17.0.1
ip dhcp pool vlan10
network 172.16.0.0 255.255.255.128
default-router 172.16.0.1
ip dhcp pool vlan20
network 172.17.0.0 255.255.255.128
default-router 172.17.0.1
!
Router#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.116.1.1 YES manual up up
FastEthernet0/0.10 172.16.0.1 YES manual up up
FastEthernet0/0.20 172.17.0.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
Router#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
**** Switch config
interface FastEthernet0/1
switchport trunk allowed vlan 1-19,21-1005
!
interface FastEthernet0/2
switchport trunk allowed vlan 1-9,11-1005
!
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/1, Gig0/2
10 vlan10 active
20 vlan20 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Best Answer
You need an access list to block inter-VLAN traffic. There will be one for each subinterface. For example
If you've never configured access list before, note the following:
The subnet masks in the statement are "wildcard masks." They are the one's complement of a normal mask.
You need to add a line in your access list for every VLAN you want to block.