Stop Inter-VLAN Routing to only one subnet (DMZ)


I have an HP E5406zl Core switch that I'd like to stop one VLAN, my DMZ, from being able to route to the other VLANs.  I'll be untagging 2 ports on the switch, one will connect to my VM host for the servers in my DMZ, and the other will uplink to the DMZ Port on my Firewall.  I did a "no ip route VLAN 100", which is my DMZ, but when I do a "show IP route", it still shows the DMZ, because it's connected.  And I'm still able to ping from the other VLANs.  I realize I may need to create an ACL for this, but I've never done one before, just in Cisco Class a long time ago...Here's some of the info from the switch and Firewall:

Firewall DMZ IP
Core Switch DMZ IP VLAN 100

Other Subnet IPs/VLANs  VLAN 10  VLAN 30    VLAN 160 (Phones)   VLAN 400   VLAN 500   VLAN 600   VLAN 700   VLAN 800   VLAN 1 (Management VLAN)

I've also attached the Running Config for the Core Switch (E5406zl), with a show IP and show IP route at the end of it .  I'd appreciate any help I can get with this


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi Chuck

Just checking but your default route for WAN traffic isn't on 192.168.10.X  (vlan 100) is it?

If it isn't then:
You can make a vACL.
Its applied to the vlan you want restricted and direction inbound
Your rule should look a little like this.
From config prompt create your access-list
<config># ip access-list extended <name>
<config># 10 deny ip
<config># 15 deny ip
<config># 20 deny ip
<config># 25 deny ip
<config># 30 deny ip
<config># 35 deny ip
<config># 40 deny ip
<config># 45 deny ip
<config># 50 deny ip
<config># 100 permit ip any any
Then go to your DMZ vlan
<vlan 100># ip access-group <name> inbound

And boom bar your test getting a reply from the DMZ gateway everything else should be blocked
Test with
#ping source 400 <ip address of client on DMZ>

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davemcclintock123Author Commented:

I configured the ACL today, and it looks like it worked


davemcclintock123Author Commented:
Great quick response
glad it worked :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.