Solved

Blocking layer 3 traffic on a Cisco 3560-X switch

Posted on 2010-11-08
4
861 Views
Last Modified: 2012-06-21
I have a 3560X switch that I have routing turned on for and I would like to block all traffic from one specific vlan to all others. I have the following vlans:

VLAN 20 IP Address 10.2.0.14 255.255.0.0
VLAN 23 IP Address 10.23.0.1 255.255.0.0

I have ip routing turned on and I see routes.

I want to block traffic from vlan 23 to vlan 20 and I thought this would work:

access-list 101 deny ip 10.23.0.0 0.0.255.255 any
access-list 101 permit ip any any

vlan 20
ip access-group 101 in

I can still ping 10.2.0.14 from 10.23.0.100.

Ideas?
0
Comment
Question by:lonekawboy
  • 2
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 500 total points
ID: 34086836
The extended access list entries are source then destination.
Your list will deny anything from source 10.23.0.0/16, but you've applied it to incoming traffic on Vlan20 where the source addresses are 10.2.0.0/16, so nothing is blocked.

On Vlan23 you want to block any traffic to Vlan20 and allow any other, so:
access-list 101 deny ip any 10.2.0.0  0.0.255.255

or you could be specific and have:
access-list 101 deny ip 10.23.0.0  0.0.255.255  10.2.0.0  0.0.255.255

and then:
access-list 101 permit ip any any

interface Vlan23
 ip access-group 101 in
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087248
Or you could use your existing ACL and apply it outbound on the VLAN 20 interface.
0
 
LVL 4

Expert Comment

by:ciscocert
ID: 34087419
vlan 23 -> 20

access-list 101 deny ip 10.23.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 permit ip any any

int vlan 23
ip access-group 101 in



0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087708
Ciscocert:

Was it really necessary to post the exact same ACL that Frabble posted an hour earlier?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now