We help IT Professionals succeed at work.

Stop Inter-VLAN Routing to only one subnet (DMZ)

davemcclintock123 asked

I have an HP E5406zl Core switch that I'd like to stop one VLAN, my DMZ, from being able to route to the other VLANs.  I'll be untagging 2 ports on the switch, one will connect to my VM host for the servers in my DMZ, and the other will uplink to the DMZ Port on my Firewall.  I did a "no ip route VLAN 100", which is my DMZ, but when I do a "show IP route", it still shows the DMZ, because it's connected.  And I'm still able to ping from the other VLANs.  I realize I may need to create an ACL for this, but I've never done one before, just in Cisco Class a long time ago...Here's some of the info from the switch and Firewall:

Firewall DMZ IP
Core Switch DMZ IP VLAN 100

Other Subnet IPs/VLANs  VLAN 10  VLAN 30    VLAN 160 (Phones)   VLAN 400   VLAN 500   VLAN 600   VLAN 700   VLAN 800   VLAN 1 (Management VLAN)

I've also attached the Running Config for the Core Switch (E5406zl), with a show IP and show IP route at the end of it .  I'd appreciate any help I can get with this


Watch Question

Hi Chuck

Just checking but your default route for WAN traffic isn't on 192.168.10.X  (vlan 100) is it?

If it isn't then:
You can make a vACL.
Its applied to the vlan you want restricted and direction inbound
Your rule should look a little like this.
From config prompt create your access-list
<config># ip access-list extended <name>
<config># 10 deny ip
<config># 15 deny ip
<config># 20 deny ip
<config># 25 deny ip
<config># 30 deny ip
<config># 35 deny ip
<config># 40 deny ip
<config># 45 deny ip
<config># 50 deny ip
<config># 100 permit ip any any
Then go to your DMZ vlan
<vlan 100># ip access-group <name> inbound

And boom bar your test getting a reply from the DMZ gateway everything else should be blocked
Test with
#ping source 400 <ip address of client on DMZ>



I configured the ACL today, and it looks like it worked




Great quick response

glad it worked :)