When you create a VLAN and assign an IP address with the interface vlan <vlan_number> command, the VLAN becomes a Layer 3 VLAN. In Layer 3 switches, the hosts between the two VLANs can communicate with each other (if the hosts are configured with the default gateway as the VLAN interface IP address). You can use ACLs to deny communication between the VLANs.
This section shows an example of how to isolate the communication between a newly created Layer 3 VLAN and an older VLAN.
In this example, the 3750 switch has two old VLANs (VLAN 1 and VLAN 2). The newly created VLAN is VLAN 5. VLAN 1, VLAN 2 and VLAN 5 are Layer 3 VLANs. ACLs are implemented to deny traffic so that VLAN 1 and VLAN 2 cannot communicate with VLAN 5 and so that VLAN 5 does not communicate either with VLAN 1 or VLAN 2.
-
VLAN 1 - 10.10.10.0 /24
-
VLAN 2 - 172.16.1.0 /24
-
VLAN 5 - 192.168.1.0 /24
-
Create the new VLAN in the database. In this case the new VLAN is VLAN 5. When you exit vlan database mode, the configuration changes are applied.
Switch#vlan database !--- You must enter into VLAN database mode !--- in order to configure any VLAN. Switch(vlan)#vlan 5 VLAN 5 added: Name: VLAN0005 Switch(vlan)#exit APPLY completed. Exiting....
-
Make sure the VLAN is created in the vlan database. Check the output of the show vlan command.
-
Set an IP address for the newly created VLAN.
Switch(config)#interface vlan 5 Switch(config-if)#ip address 192.168.1.1 255.255.255.0 Switch(config)#no shut
-
Configure physical interfaces that connect the clients to the corresponding VLAN.
Switch(config)#interface fastEthernet 2/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 5 Switch(config-if)#no shut
You need to configure three access-lists, one for each VLAN.
-
This access list denies traffic that comes from VLAN 1 to get to VLAN 5.
!--- Some of the commands in this output are wrapped !--- to a second line due to spatial reasons. Switch#configure terminal Switch(config)#access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 Switch(config)#access-list 101 permit ip 10.10.10.0 0.0.0.255 any
-
This access list denies traffic that comes from VLAN 2 to get to VLAN 5.
Switch#configure terminal Switch(config)#access-list 102 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 Switch(config)#access-list 102 permit ip 172.16.1.0 0.0.0.255 any
-
This access list denies traffic that comes from VLAN 5 to get to VLAN 1 and VLAN 2.
Switch#configure terminal Switch(config)#access-list 105 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 Switch(config)#access-list 105 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 Switch(config)#access-list 105 permit ip 192.168.1.0 0.0.0.255 any
And once they are configured, apply the access lists to interface VLAN 1, interface VLAN 2 and interface VLAN 5.
Switch#configure terminal Switch(config)#interface vlan 1 Switch(config-if)#ip access-group 101 in Switch(config-if)#exit Switch#configure terminal Switch(config)#interface vlan 2 Switch(config-if)#ip access-group 102 in Switch(config-if)#exit Switch#configure terminal Switch(config)#interface vlan 5 Switch(config-if)#ip access-group 105 in Switch(config-if)#end
-