VLAN ACL Query

[Hulkster]

I wish to add 2 VLANs to an existing Layer 3 switch. I am currently testing using another switch with the same config.

I want them to be able to talk to eachother, but not to the main VLAN (VLAN1). I've added ACLs In/Out (to allow dest/source of new VLAN IP ranges) on the new VLAN interfaces (not touched Vlan1) and everything is working as I wish, expect that hosts on VLAN1 can still ping the layer 3 interfaces for the new VLANs that live on the switch..despite the only permit rules being for IPs in the new subnets. They cannot get any further, though. I don't really want the new addresses pingable from production machines, and I would rather not add ACLs to VLAN1.

Any ideas where I am going wrong? Sorry if this is a little vague!

 

[Hulkster]

Thanks for the input chaps. A second routing instance did cross my mind - but I am not too sure how to do this on an HP5500G (i should have mentioned the switches I am using!). I will refer to the Layer 3 config documentation.

The ACL creation isn't really an issue; I just wanted to keep the filtering on the new VLAN interfaces. If the IP interface of the new VLAN can be pinged, it's not really the end of the world - the reality is however that in the real solution, no hosts will have the switches in question as their default gateway, so there won't be routes to it from production workstations.

Trunking is not required as they all exist on the same single switch so there are no additional connections to allow/deny specific VLANs over.

I will check out how to create a separate routing table.