Stop Inter-VLAN Routing to only one subnet (DMZ)

Hi,

I have an HP E5406zl Core switch that I'd like to stop one VLAN, my DMZ, from being able to route to the other VLANs.  I'll be untagging 2 ports on the switch, one will connect to my VM host for the servers in my DMZ, and the other will uplink to the DMZ Port on my Firewall.  I did a "no ip route 192.168.10.0/24 VLAN 100", which is my DMZ, but when I do a "show IP route", it still shows the DMZ, because it's connected.  And I'm still able to ping 192.168.10.1 from the other VLANs.  I realize I may need to create an ACL for this, but I've never done one before, just in Cisco Class a long time ago...Here's some of the info from the switch and Firewall:

Firewall DMZ IP     192.168.10.2
Core Switch DMZ IP     192.168.10.1 VLAN 100

Other Subnet IPs/VLANs
192.168.1.1  VLAN 10
192.168.3.1  VLAN 30
10.91.86.8    VLAN 160 (Phones)
192.168.40.10   VLAN 400
192.168.50.10   VLAN 500
192.168.60.10   VLAN 600
10.0.0.10   VLAN 700
10.0.1.10   VLAN 800
192.168.254.10   VLAN 1 (Management VLAN)

I've also attached the Running Config for the Core Switch (E5406zl), with a show IP and show IP route at the end of it .  I'd appreciate any help I can get with this

Thanks

Chuck
Core-Switch-Running-config-042715.TXT
davemcclintock123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StolsieCommented:
Hi Chuck

Just checking but your default route for WAN traffic isn't on 192.168.10.X  (vlan 100) is it?

If it isn't then:
You can make a vACL.
Its applied to the vlan you want restricted and direction inbound
Your rule should look a little like this.
From config prompt create your access-list
<config># ip access-list extended <name>
<config># 10 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255
<config># 15 deny ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255
<config># 20 deny ip 192.168.10.0 0.0.0.255 10.91.86.0 0.0.0.255
<config># 25 deny ip 192.168.10.0 0.0.0.255 192.162.0.0 0.0.1.255
<config># 30 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
<config># 35 deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
<config># 40 deny ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.1.255
<config># 45 deny ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.3.255
<config># 50 deny ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
<config># 100 permit ip any any
Then go to your DMZ vlan
<vlan 100># ip access-group <name> inbound

And boom bar your test getting a reply from the DMZ gateway everything else should be blocked
Test with
#ping source 400 <ip address of client on DMZ>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davemcclintock123Author Commented:
Stolsie,

I configured the ACL today, and it looks like it worked

Thanks

Chuck
0
davemcclintock123Author Commented:
Great quick response
0
StolsieCommented:
glad it worked :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.