Solved

Blocking layer 3 traffic on a Cisco 3560-X switch

Posted on 2010-11-08
4
868 Views
Last Modified: 2012-06-21
I have a 3560X switch that I have routing turned on for and I would like to block all traffic from one specific vlan to all others. I have the following vlans:

VLAN 20 IP Address 10.2.0.14 255.255.0.0
VLAN 23 IP Address 10.23.0.1 255.255.0.0

I have ip routing turned on and I see routes.

I want to block traffic from vlan 23 to vlan 20 and I thought this would work:

access-list 101 deny ip 10.23.0.0 0.0.255.255 any
access-list 101 permit ip any any

vlan 20
ip access-group 101 in

I can still ping 10.2.0.14 from 10.23.0.100.

Ideas?
0
Comment
Question by:lonekawboy
  • 2
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 500 total points
ID: 34086836
The extended access list entries are source then destination.
Your list will deny anything from source 10.23.0.0/16, but you've applied it to incoming traffic on Vlan20 where the source addresses are 10.2.0.0/16, so nothing is blocked.

On Vlan23 you want to block any traffic to Vlan20 and allow any other, so:
access-list 101 deny ip any 10.2.0.0  0.0.255.255

or you could be specific and have:
access-list 101 deny ip 10.23.0.0  0.0.255.255  10.2.0.0  0.0.255.255

and then:
access-list 101 permit ip any any

interface Vlan23
 ip access-group 101 in
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087248
Or you could use your existing ACL and apply it outbound on the VLAN 20 interface.
0
 
LVL 4

Expert Comment

by:ciscocert
ID: 34087419
vlan 23 -> 20

access-list 101 deny ip 10.23.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 permit ip any any

int vlan 23
ip access-group 101 in



0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087708
Ciscocert:

Was it really necessary to post the exact same ACL that Frabble posted an hour earlier?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What is the Router Login page for Comcast? 10.0.0.1? 7 88
Sonicwall routing between VPNs 5 45
The purpose of using BGP 33 73
Looking for good easy switch for lab at home. 13 86
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now