block / permit intra vlan traffic on 3750

nicanor00 · ‎02-21-2013

Hi All

I have One switch 3750 and many switch 2960 c

I use one ASA 5510 to reach emote branche site (vpn conexion)

I use one router 1841 for internet conexion

Router 1841, ASA and catalyst 2960 are connected on the 3750

Default gateway of all user is ASA IP

I configured Vlan 3750 and it work

Now I need to implement security : permit/block specific traffic between vlan

interface Vlan53

ip address 192.168.13.126 255.255.255.224

ip helper-address 192.168.1.29

interface Vlan120

ip address 192.168.1.126 255.255.255.192

ip helper-address 192.168.1.29

Objective of my configuration :

Vlan 120 should have full permit on vlan 53 and Vlan 53 should be blocked on vlan 120

All other trafic on the 2 vlan should be permitted

See below the configuration that I made for these 2 Vlan

ip access-list extended VLAN_120_IN

deny ip any 192.168.13.126 0.0.0.31

permit ip any any

interface vlan 120

ip access-group VLAN_120_IN in

Result

From vlan 72 I cannot have remote access on computer in vlan 34 and I cannot ping computer in vlan 34

My configuration is not work

Please help

jawad-mukhtar · ‎02-22-2013

ip access-list extended VLAN_53_IN

deny ip 192.168.13.126 0.0.0.31 192.168.1.126 0.0.0.31

permit ip any any

interface vlan 53

ip access-group VLAN_53_IN in

REMOVE

no ip access-list extended VLAN_120_IN

no deny ip any 192.168.13.126 0.0.0.31

no permit ip any any

interface vlan 120

no ip access-group VLAN_120_IN in

If this not work post your whole config

Jawad