Solved

Blocking layer 3 traffic on a Cisco 3560-X switch

Posted on 2010-11-08
4
880 Views
Last Modified: 2012-06-21
I have a 3560X switch that I have routing turned on for and I would like to block all traffic from one specific vlan to all others. I have the following vlans:

VLAN 20 IP Address 10.2.0.14 255.255.0.0
VLAN 23 IP Address 10.23.0.1 255.255.0.0

I have ip routing turned on and I see routes.

I want to block traffic from vlan 23 to vlan 20 and I thought this would work:

access-list 101 deny ip 10.23.0.0 0.0.255.255 any
access-list 101 permit ip any any

vlan 20
ip access-group 101 in

I can still ping 10.2.0.14 from 10.23.0.100.

Ideas?
0
Comment
Question by:lonekawboy
  • 2
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 500 total points
ID: 34086836
The extended access list entries are source then destination.
Your list will deny anything from source 10.23.0.0/16, but you've applied it to incoming traffic on Vlan20 where the source addresses are 10.2.0.0/16, so nothing is blocked.

On Vlan23 you want to block any traffic to Vlan20 and allow any other, so:
access-list 101 deny ip any 10.2.0.0  0.0.255.255

or you could be specific and have:
access-list 101 deny ip 10.23.0.0  0.0.255.255  10.2.0.0  0.0.255.255

and then:
access-list 101 permit ip any any

interface Vlan23
 ip access-group 101 in
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087248
Or you could use your existing ACL and apply it outbound on the VLAN 20 interface.
0
 
LVL 4

Expert Comment

by:ciscocert
ID: 34087419
vlan 23 -> 20

access-list 101 deny ip 10.23.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 permit ip any any

int vlan 23
ip access-group 101 in



0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087708
Ciscocert:

Was it really necessary to post the exact same ACL that Frabble posted an hour earlier?
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question