i have two vlans on running on a cisco 6509 switch.
vlan 1 is in net 10.1.0.0 255.255.240.0
vlan 2 is in net 172.31.2.0 255.255.255.0
i want to block vlan 2 from accessing vlan 1.
my access-lists are like ths
access-list 101 deny ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255
permit ip any any
access-list 101 deny icmp 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255 echo
permit icmp any any
access-list 101 deny tcp 172.31.2.0 0.0.0.255 10.1.0.0 0.0.15.255 eq 23
permit tcp any any
int vlan 2
ip access-group 101 in
these ACLs are not working i have even tried to apply them out boound on vlan 2..i have also tried to configure the opposite of the ACLs and apply it on int vlan 1,trying with in and out but stil the access-list is not working.
where am i going wrong...how do i stop the vlans from communicating without disabling ip routing no my switch.
To prevent users from telneting to your VTY ports you should create an ACL and apply it to your VTY ports. You need to put some thought into this ACL. If you are on a LAN its not a big deal you just select the management Range and allow it access. However if you are on a WAN and may have multiple admin ranges and/or you connect via VPN you need to take all possible admin address ranges into account. A trick you'll see is that for testing purposes you usually allow all access between your actual devices Admin IP's. This can be a quick way around VTY access lists if your at a WAN site and have forgot to allow an address or two for admin purposes. Then you can simply telnet to your router and telnet to the device on the far site that you need access to. This might not be the most secure setup but it can be a convenient backdoor.
Probably the best feature on the 6509 to accomplish this would be VACL (vlan access control lists). Documentation on this feature can be found at:
!Traffic you want to drop (in the input direction on vlan2)
Router(config)#access-list 101 permit ip 172.31.2.0 0.0.0.255 10.1.0.0 0.0.0.15
!Catchall acl to allow other traffic out
Router(config)#access-list 102 permit ip any any
!First identify and drop the traffic from vlan1 to vlan2
Router(config)# vlan access-map mymap 10
Router(config-access-map)# match ip address 101
Router(config-access-map)# action drop
!Forward all other traffic
Router(config)# vlan access-map mymap 20
Router(config-access-map)# match ip address 102
Router(config-access-map)# action forward
!Apply vlan map mymap to vlan 2
Router(config)# vlan filter mymap vlan-list 2
One last question, if you are already denying all ip traffic with the first line of your posted acl, then why do you need the next two lines denying icmp and tcp?
Hope this helps!