Disabling inter-VLAN routing using ACLs

While working on a customer’s router config he requested the following to be done.

  • 3 LAN subnets
  • IP’s must assigned by DHCP.
  • All 3 subnets must have access to internet.
  • Devices on each LAN should not be able to communicate with each other.

As the customer had a Cisco 881 the easiest way this could be achieved is with VLANs.  Here’s how I did it.

inter-vlan

!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
dns-server 220.233.0.3 58.96.1.28 8.8.8.8
default-router 192.168.1.1
!
ip dhcp pool LAN2
network 192.168.2.0 255.255.255.0
dns-server 220.233.0.3 58.96.1.28 8.8.8.8
default-router 192.168.2.1
!
ip dhcp pool LAN3
network 192.168.3.0 255.255.255.0
dns-server 220.233.0.3 58.96.1.28 8.8.8.8
default-router 192.168.3.1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 3
no ip address
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
ip address 58.96.0.0 255.255.255.254
ip nat outside
ip virtual-reassembly in
rate-limit output 9800000 1250000 2500000 conform-action transmit exceed-action drop
duplex full
speed 100
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
description LAN2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description LAN3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
!
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 192.168.0.0 0.0.3.255
access-list 1 permit any
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip any any
!