ACLs are applied on CoreSwitch with incoming direction. I also tried with outgoing direction.

Hi,

with the ACLs you provided outbound should work but what is puzzling me is the default-gateway that is connected to the 2960, why not link it to the 3750 as anyway I suppose the default-gateway of hosts is the corresponding SVI IP address on the 3750 ?

Could you provide your sanitized config please.

Regards.

Alain

Don't forget to rate helpful posts.

Yes, the default gateway of the hosts is the corresponding SVI IP address on 3750. Here is the config

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime localtime

service password-encryption

!

hostname CORESWITCH

!

boot-start-marker

boot-end-marker

!

switch 1 provision ws-c3750e-24td

system mtu routing 1500

ip routing

!

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip ssh source-interface Vlan1

ip ssh version 2

!

interface FastEthernet0

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

interface GigabitEthernet1/0/1

switchport access vlan 70

!

interface GigabitEthernet1/0/2

switchport access vlan 101

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

switchport access vlan 70

!

interface GigabitEthernet1/0/5

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

switchport trunk encapsulation dot1q

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

switchport access vlan 70

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

switchport access vlan 3

!

interface GigabitEthernet1/0/12

switchport access vlan 90

!

interface GigabitEthernet1/0/13

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/14

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/15

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/16

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/17

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/18

switchport access vlan 70

!

interface GigabitEthernet1/0/19

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

switchport access vlan 51

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

switchport access vlan 81

!

interface GigabitEthernet1/0/24

description Link to ServersSwitch

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/25

!

interface GigabitEthernet1/0/26

!

interface GigabitEthernet1/0/27

!

interface GigabitEthernet1/0/28

!

interface TenGigabitEthernet1/0/1

!

interface TenGigabitEthernet1/0/2

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip access-group VLAN20 in

no ip route-cache

no ip mroute-cache

!

interface Vlan30

ip address 192.168.30.1 255.255.255.0

ip access-group VLAN30 in

no ip route-cache

no ip mroute-cache

!

interface Vlan40

ip address 192.168.40.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan41

ip address 192.168.41.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan42

ip address 192.168.42.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan50

ip address 192.168.50.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan51

ip address 192.168.51.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan60

ip address 192.168.60.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan70

ip address 192.168.70.1 255.255.255.0

no ip route-cache

interface Vlan70

ip address 192.168.70.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan80

ip address 192.168.80.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan81

ip address 192.168.81.1 255.255.255.248

!

interface Vlan90

ip address 192.168.90.1 255.255.255.224

no ip route-cache

no ip mroute-cache

!

interface Vlan91

ip address 192.168.91.1 255.255.255.224

!

interface Vlan95

ip address 192.168.95.1 255.255.255.224

!

interface Vlan100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan101

ip address 192.168.101.1 255.255.255.0

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.10.10 permanent

!

Extended IP access list VLAN20

    10 permit tcp any any established

    11 permit icmp any any

    20 permit tcp any 192.168.20.0 0.0.0.255 eq 80

    30 permit tcp any 192.168.20.0 0.0.0.255 eq 443

    40 deny ip any any log

!

Extended IP access list VLAN30

    10 permit tcp any any established

    11 permit icmp any any

    20 permit tcp any 192.168.30.0 0.0.0.255 eq 25 110

    30 permit udp any 192.168.30.0 0.0.0.255 eq 53 123

    40 deny ip any any log

!

logging esm config

no cdp advertise-v2

!

line con 0

logging synchronous

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

!

end

Hi,

can you  modify your ACLs like this:

no ip access-list extended VLAN20

ip access-list extended VLAN20

   permit icmp any any

   permit tcp  192.168.20.0 0.0.0.255 any  eq 80

   permit tcp  192.168.20.0 0.0.0.255 any  eq 443

   deny ip any any log

no ip access-list extended VLAN30

ip access-list extended VLAN30

    permit icmp any any

    permit tcp any 192.168.30.0 0.0.0.255  eq 25 110

    permit udp  192.168.30.0 0.0.0.255 any  eq 53 123

    deny ip any any log

Please tell us exactly what you want to prohibit  because the ACLs may be modified though.

Regards.

Alain

Don't forget to rate helpful posts.