EdgeSwitch - Limiting Inter-VLAN Routing with Access-Lists
Overview
Readers will learn how to configure Inter-VLAN routing on an EdgeSwitch and limit traffic between the VLANs using Access-Lists.
This article does not apply to the EdgeSwitch X (ES-X) and EdgeSwitch XP (ES-XP) models.
Table of Contents
- Network Diagram
- Configuring Inter-VLAN Routing
- Adding Access-Lists to Limit the Traffic
- Related Articles
Network Diagram
Access-Lists will be used to limit the traffic between VLAN10 (LAN) and VLAN20 (GUEST).
Configuring Inter-VLAN Routing
1. Enter privileged mode.
enable
2. Create the VLANs and VLAN-Interfaces (SVIs).
vlan database
vlan 10,20
vlan routing 10
vlan routing 20
exit
3. Enter configuration mode.
configure
4. Assign the ports to the VLANs created above.
interface 0/2
vlan pvid 10
vlan participation exclude 1,20
vlan participation include 10
exit
interface 0/8
vlan pvid 10
vlan participation exclude 1,20
vlan participation include 10
exit
interface 0/6
vlan tagging 20
vlan participation exclude 1
vlan participation include 10,20
exit
5. Associate the VLAN10 and VLAN20 SVIs with IP addresses and enable routing.
interface vlan 10
ip address 10.0.10.2 255.255.255.0
routing
exit
interface vlan 20
ip address 10.0.20.2 255.255.255.0
routing
exit
6. Globally enable the routing functionality.
ip routing
7. Exit back to privileged mode and write the changes to the startup configuration.
exit
write memory
Adding Access-Lists to Limit the Traffic
After setting up the Inter-VLAN routing configuration above, the clients on VLAN10 and VLAN20 are able to communicate with each other. The next step is to limit this traffic so that the VLAN20 clients can only access the webserver at 10.0.10.10
. This will be achieved through the use of an Access-List (ACL).
There are two types of Access-Lists that can be created on EdgeSwitch:
-
IP Access-List
Matches traffic based on a particular protocol or all IPv4 traffic. -
MAC Access-List
Matches traffic based on a MAC address.
1. Enter configuration mode.
configure
2. Create an IP Access-List that only allows traffic from VLAN20 to the server at 10.0.10.10
.
ip access-list VLAN20
permit ip 10.0.20.0 0.0.0.255 host 10.0.10.10
deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255
permit ip any any
exit
3. Apply the Access-List to VLAN20 in the ingress/in direction.
ip access-group VLAN20 vlan 20 in
4. Exit back to privileged mode and write the changes to the startup configuration.
exit
write memory
Related Articles
EdgeSwitch - Inter-VLAN Routing
Intro to Networking - How to Establish a Connection Using SSH