Hello experts,

Since there is no way to change the topic i repost this conversation here.

I have this problem:

3 switches - 1 - 4503 and 2 - 3750

They run in a cluster.

There is one 802.1Q trunk from each 3750 to the 4503.

On the 4503 i create 2 VLANs with SVIs.

VLAN 2 - 20.0.0.1/24

VLAN 3 - 30.0.0.1/24

and the default one

VLAN 1 - 192.168.1.x

All interfaces are up/up

Management IP addresses of switches are as follows:

4503 - 192.168.1.2

1st 3750 - 192.168.1.3

2nd 3750 - 192.168.1.4

And here is the problem:

I disable all routing as you may see in the configuration bellow and all VLANs have connection to each other through the SVI.

Generally I want VLAN 2 to have access to VLAN 1, VLAN 3 to have access to VLAN 1 but restrict access form VLAN 2 to VLAN 3.

Any help will be appreciated, thanks!

Current configuration : 2533 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service compress-config

service sequence-numbers

!

hostname Catalyst4503

!

boot-start-marker

boot system flash bootflash:cat4000-i5s-mz.122-25.EWA12.bin

boot-end-marker

!

no logging console

enable password **********

!

no aaa new-model

clock timezone GMT 0

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct

qos dbl

qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4

qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4

qos map cos 3 to dscp 26

qos map cos 5 to dscp 46

qos

ip subnet-zero

no ip routing

no ip domain-lookup

!

cluster run

cluster enable NRS 0

cluster member 1 mac-address 001e.bee6.3e80

cluster member 2 mac-address 001e.f756.6780

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

power redundancy-mode redundant

!

!

!

vlan internal allocation policy descending

!

policy-map autoqos-voip-policy

class class-default

dbl

!

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface GigabitEthernet2/1

!

interface GigabitEthernet2/2

!

interface GigabitEthernet2/3

switchport mode trunk

switchport nonegotiate

service-policy output autoqos-voip-policy

qos trust cos

auto qos voip trust

tx-queue 3

priority high

shape percent 33

macro description cisco-switch

spanning-tree link-type point-to-point

!

interface GigabitEthernet2/4

switchport mode trunk

switchport nonegotiate

service-policy output autoqos-voip-policy

qos trust cos

auto qos voip trust

tx-queue 3

priority high

shape percent 33

macro description cisco-switch

spanning-tree link-type point-to-point

!

interface GigabitEthernet2/5

!

interface GigabitEthernet2/6

!

interface GigabitEthernet2/7

!

interface GigabitEthernet2/8

!

interface GigabitEthernet2/9

!

interface GigabitEthernet2/10

!

interface GigabitEthernet2/11

!

interface GigabitEthernet2/12

!

interface GigabitEthernet2/13

!

interface GigabitEthernet2/14

!

interface GigabitEthernet2/15

!

interface GigabitEthernet2/16

!

interface GigabitEthernet2/17

!

interface GigabitEthernet2/18

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

no ip route-cache

!

interface Vlan2

ip address 20.0.0.1 255.255.255.0

no ip route-cache

!

interface Vlan3

ip address 30.0.0.1 255.255.255.0

no ip route-cache

!

interface Vlan6

ip address 60.0.0.1 255.0.0.0

no ip route-cache

shutdown

!

ip http server

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

password test

login

length 0

!

!

end

Catalyst4503#

Catalyst4503#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Catalyst4503(config)#no ip routing

Catalyst4503(config)#end

Catalyst4503#write

Building configuration...