?
Solved

Blocking layer 3 traffic on a Cisco 3560-X switch

Posted on 2010-11-08
4
Medium Priority
?
905 Views
Last Modified: 2012-06-21
I have a 3560X switch that I have routing turned on for and I would like to block all traffic from one specific vlan to all others. I have the following vlans:

VLAN 20 IP Address 10.2.0.14 255.255.0.0
VLAN 23 IP Address 10.23.0.1 255.255.0.0

I have ip routing turned on and I see routes.

I want to block traffic from vlan 23 to vlan 20 and I thought this would work:

access-list 101 deny ip 10.23.0.0 0.0.255.255 any
access-list 101 permit ip any any

vlan 20
ip access-group 101 in

I can still ping 10.2.0.14 from 10.23.0.100.

Ideas?
0
Comment
Question by:lonekawboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 2000 total points
ID: 34086836
The extended access list entries are source then destination.
Your list will deny anything from source 10.23.0.0/16, but you've applied it to incoming traffic on Vlan20 where the source addresses are 10.2.0.0/16, so nothing is blocked.

On Vlan23 you want to block any traffic to Vlan20 and allow any other, so:
access-list 101 deny ip any 10.2.0.0  0.0.255.255

or you could be specific and have:
access-list 101 deny ip 10.23.0.0  0.0.255.255  10.2.0.0  0.0.255.255

and then:
access-list 101 permit ip any any

interface Vlan23
 ip access-group 101 in
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087248
Or you could use your existing ACL and apply it outbound on the VLAN 20 interface.
0
 
LVL 4

Expert Comment

by:ciscocert
ID: 34087419
vlan 23 -> 20

access-list 101 deny ip 10.23.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 permit ip any any

int vlan 23
ip access-group 101 in



0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34087708
Ciscocert:

Was it really necessary to post the exact same ACL that Frabble posted an hour earlier?
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question