EdgeSwitch - Limiting Inter-VLAN Routing with Access-Lists


Overview


Readers will learn how to configure Inter-VLAN routing on an EdgeSwitch and limit traffic between the VLANs using Access-Lists.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeSwitch firmware on all EdgeSwitch models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Configuring Inter-VLAN Routing
  3. Adding Access-Lists to Limit the Traffic
  4. Related Articles

Network Diagram


Back to Top

topology.png

Access-Lists will be used to limit the traffic between VLAN10 (LAN) and VLAN20 (GUEST).


Configuring Inter-VLAN Routing


Back to Top

CLI: Access the EdgeSwitch Command Line Interface.

1. Enter privileged mode.

enable

2. Create the VLANs and VLAN-Interfaces (SVIs).

vlan database 
vlan 10,20
vlan routing 10
vlan routing 20
exit

3. Enter configuration mode.

configure

4. Assign the ports to the VLANs created above.

interface 0/2
vlan pvid 10
vlan participation exclude 1,20
vlan participation include 10
exit

interface 0/8
vlan pvid 10
vlan participation exclude 1,20
vlan participation include 10
exit

interface 0/6
vlan tagging 20
vlan participation exclude 1
vlan participation include 10,20
exit
NOTE: See our help center article here for more information on configuring Inter-VLAN routing on an EdgeSwitch.

5. Associate the VLAN10 and VLAN20 SVIs with IP addresses and enable routing.

interface vlan 10
ip address 10.0.10.2 255.255.255.0
routing
exit
 
interface vlan 20
ip address 10.0.20.2 255.255.255.0
routing
exit

6. Globally enable the routing functionality.

ip routing

7. Exit back to privileged mode and write the changes to the startup configuration.

exit
write memory

Adding Access-Lists to Limit the Traffic


Back to Top

After setting up the Inter-VLAN routing configuration above, the clients on VLAN10 and VLAN20 are able to communicate with each other. The next step is to limit this traffic so that the VLAN20 clients can only access the webserver at 10.0.10.10. This will be achieved through the use of an Access-List (ACL).

There are two types of Access-Lists that can be created on EdgeSwitch:

  • IP Access-ListMatches traffic based on a particular protocol or all IPv4 traffic.
  • MAC Access-ListMatches traffic based on a MAC address. 
CLI: Access the EdgeSwitch Command Line Interface.

1. Enter configuration mode.

configure

2. Create an IP Access-List that only allows traffic from VLAN20 to the server at 10.0.10.10.

ip access-list VLAN20
permit ip 10.0.20.0 0.0.0.255 host 10.0.10.10
deny ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255
permit ip any any
exit
NOTE: There is an explicit deny statement at the end of the Access-List.

3. Apply the Access-List to VLAN20 in the ingress/in direction.

ip access-group VLAN20 vlan 20 in

4. Exit back to privileged mode and write the changes to the startup configuration.

exit
write memory

Related Articles


Back to Top

EdgeSwitch - Inter-VLAN Routing

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!