[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Blocking layer 3 traffic on a Cisco 3560-X switch

Posted on 2010-11-08
4
Medium Priority
?
912 Views
Last Modified: 2012-06-21
I have a 3560X switch that I have routing turned on for and I would like to block all traffic from one specific vlan to all others. I have the following vlans:

VLAN 20 IP Address 10.2.0.14 255.255.0.0
VLAN 23 IP Address 10.23.0.1 255.255.0.0

I have ip routing turned on and I see routes.

I want to block traffic from vlan 23 to vlan 20 and I thought this would work:

access-list 101 deny ip 10.23.0.0 0.0.255.255 any
access-list 101 permit ip any any

vlan 20
ip access-group 101 in

I can still ping 10.2.0.14 from 10.23.0.100.

Ideas?
0
Comment
Question by:lonekawboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 2000 total points
ID: 34086836
The extended access list entries are source then destination.
Your list will deny anything from source 10.23.0.0/16, but you've applied it to incoming traffic on Vlan20 where the source addresses are 10.2.0.0/16, so nothing is blocked.

On Vlan23 you want to block any traffic to Vlan20 and allow any other, so:
access-list 101 deny ip any 10.2.0.0  0.0.255.255

or you could be specific and have:
access-list 101 deny ip 10.23.0.0  0.0.255.255  10.2.0.0  0.0.255.255

and then:
access-list 101 permit ip any any

interface Vlan23
 ip access-group 101 in
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087248
Or you could use your existing ACL and apply it outbound on the VLAN 20 interface.
0
 
LVL 4

Expert Comment

by:ciscocert
ID: 34087419
vlan 23 -> 20

access-list 101 deny ip 10.23.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 permit ip any any

int vlan 23
ip access-group 101 in



0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087708
Ciscocert:

Was it really necessary to post the exact same ACL that Frabble posted an hour earlier?
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question