Stop Inter-VLAN Routing to only one subnet (DMZ)

Hi,

I have an HP E5406zl Core switch that I'd like to stop one VLAN, my DMZ, from being able to route to the other VLANs.  I'll be untagging 2 ports on the switch, one will connect to my VM host for the servers in my DMZ, and the other will uplink to the DMZ Port on my Firewall.  I did a "no ip route 192.168.10.0/24 VLAN 100", which is my DMZ, but when I do a "show IP route", it still shows the DMZ, because it's connected.  And I'm still able to ping 192.168.10.1 from the other VLANs.  I realize I may need to create an ACL for this, but I've never done one before, just in Cisco Class a long time ago...Here's some of the info from the switch and Firewall:

Firewall DMZ IP     192.168.10.2
Core Switch DMZ IP     192.168.10.1 VLAN 100

Other Subnet IPs/VLANs
192.168.1.1  VLAN 10
192.168.3.1  VLAN 30
10.91.86.8    VLAN 160 (Phones)
192.168.40.10   VLAN 400
192.168.50.10   VLAN 500
192.168.60.10   VLAN 600
10.0.0.10   VLAN 700
10.0.1.10   VLAN 800
192.168.254.10   VLAN 1 (Management VLAN)

I've also attached the Running Config for the Core Switch (E5406zl), with a show IP and show IP route at the end of it .  I'd appreciate any help I can get with this

Thanks

Chuck
Core-Switch-Running-config-042715.TXT
davemcclintock123Asked:
Who is Participating?
 
StolsieCommented:
Hi Chuck

Just checking but your default route for WAN traffic isn't on 192.168.10.X  (vlan 100) is it?

If it isn't then:
You can make a vACL.
Its applied to the vlan you want restricted and direction inbound
Your rule should look a little like this.
From config prompt create your access-list
<config># ip access-list extended <name>
<config># 10 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255
<config># 15 deny ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255
<config># 20 deny ip 192.168.10.0 0.0.0.255 10.91.86.0 0.0.0.255
<config># 25 deny ip 192.168.10.0 0.0.0.255 192.162.0.0 0.0.1.255
<config># 30 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
<config># 35 deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
<config># 40 deny ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.1.255
<config># 45 deny ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.3.255
<config># 50 deny ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
<config># 100 permit ip any any
Then go to your DMZ vlan
<vlan 100># ip access-group <name> inbound

And boom bar your test getting a reply from the DMZ gateway everything else should be blocked
Test with
#ping source 400 <ip address of client on DMZ>
0
 
davemcclintock123Author Commented:
Stolsie,

I configured the ACL today, and it looks like it worked

Thanks

Chuck
0
 
davemcclintock123Author Commented:
Great quick response
0
 
StolsieCommented:
glad it worked :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.