Securing VLAN so it has limited access

[disturbedone]

I have a feeling this can be done but I'm not exactly sure how it can be achieved. Not sure if it would be done in Catalyst router or ASA (or parts in both).

Scenario:
[ul]
[li]ASA5520 as firewall. Interface GiEth0/0 security-level 100 as 'inside network', interface GiEth0/1 security-level 0 as 'outside network', interface GiEth0/2 security-level 100 as 'dmz network'. IP 10.15.0.1/16[/li]
[li]Catalyst 4507 as core router. IP 10.10.32.88/16 (VLAN10). Multiple VLANs 11 (10.11.x.x/16), 20 (10.20.x.x/16) etc[/li]
[li]DHCP server on VLAN11 (10.11.0.7/16. All VLANs have ip-helper address of this.[/li]
[li]I want to create VLAN80 (10.80.x.x/16) and allow then DHCP but stop traffic to all other VLANs (including servers on same as DHCP) but still allow Internet.[/li]
[/ul]
I've read a bit about the security-level feature. Giving one VLAN a higher value than another to restrict access but VLANs aren't defined in ASA only Catalyst. This feature isn't available in the Catalyst for some reason.

Any ideas on how this could be achieved?

 

[imbadatthis]

dmz i'd put at 50 and create ACLS from dmz to inside if need be. having two interfaces on the same security level creates unique situations you dont want to have to deal with unless you click the two check boxes allowing devices to talk to each other between the same security level under the interfaces menu or using the cli...

as for the interfaces, you connect ASA to 'core' (take 2 to be on the same side of for port failures, and create a prot channel interfaces on ASA and a channel-group on the 'core')
click add interface,
you can drop down to port-channel and then create vlan interfaces.. sub interfaces really. you match vlan numbers, and on the 'core' you trunk them to the ASA on the proper channel-group ..


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.