I have a customer who has vlan's and SVIs residing on a core 6509. the 6509 is connected to an ASA 5515 then out to the internet/sp edge device

IP routing is not turned on.

there is a static route on the 6509 that routes all ip's to the inside interface of the asa 5515 that the 6509 core is connected to.

there is a set of vlans that are apart of a 192.168.128.0/19 subnet and all those vlans can "speak" to each other.

how do i make it so that one vlan can't talk to the rest, but everyone else can talk to that vlan?

You could use acls on the svi's or vacls.

One option would be to add ACL's on the VLAN's on the 6509 as dschuemann said above.

Another would be to get the ASA to do all the routing by trunking all the VLAN's down to the ASA and then having it be the GW for all the VLAN's, that way you could get way more granular with your inter-VLAN traffic.

It really comes down to traffic patterns, if you have a LOT of traffic going between VLAN's then the first option is going to be better as the ASA would most likely be your bottleneck.

_________________
---
David
CCIE R&S #38338, CCIP, CCNP

http://networkbroadcast.co.uk - My Blog
http://twitter.com/davidrothera

Isn't this what Private VLAN's are designed for? The larger set of vlans would be "promiscuous" and talk to all others, while the isolated one would be "private". There's different levels of privacy, too, even within the vlan. I'm just starting to work with this for an upcoming project so am no authority, but it sounds like it could be a viable option.

Glenn

_________________
Lost: Rocket, appx 8' tall, Green w/ yellow fins, nose, and computer bay.. Last seen streaking skyward in NY

pvlans are a bit more complex than that.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

-vlan 63 -Vendor - 192.168.140.0/24-


access-list 100 permit ip 192.168.140.0 0.0.0.255 192.168.135.4 (IP address of inside interface of the firewall)
access-list 100 deny ip 192.168.140.0 0.0.0.255 any

vlan access-map Vendor_VLAN_Restriction 100
match ip address 100
action drop
exit
vlan filter Vendor_VLAN_Restriction vlan-list 63



would it be something like that? Would that also block the other vlan from accessing vlan 63?

Broadcast traffic would get to the gateway, doubt it would matter though.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

yeh, that vlan still needs to be able to get out to the internet. would the second line deny any traffic within its own vlan? would i have to create a line to allow traffic withing it's own vlan subnet?

you are going to have to change your vacl around a bit. You have to specify the traffic you want to permit first then deny it in the vacl. But an easier option would be to just run the acls where the layer 3 is on the ASA where it should be.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!