VLANs Routing/Access-list intresting problem

Unanswered Question
May 9th, 2007
User Badges:

I have cisco WS-C3550-24-SMI running ip routing.


I have three customers and they fall in their own valns as listed:




interface FastEthernet0/10

switchport access vlan 10

no ip address

spanning-tree portfast



interface Vlan10

description cust2

ip address 1.1.6.37 255.255.255.252

ip access-group inbound in

ip access-group outbound out




interface FastEthernet0/11

switchport access vlan 11

no ip address

spanning-tree portfast



interface Vlan11

description cust3

ip address 1.1.7.41 255.255.255.252

ip access-group inbound in

ip access-group outbound out



Than I have another vlan the one pointing to router


interface FastEthernet0/1

switchport access vlan 14

no ip address

load-interval 30

duplex full

speed 100

spanning-tree portfast



interface Vlan14

description wireless

ip address 192.168.1.1 255.255.255.0

ip access-group inbound in

ip access-group outbound out



This all worked fine. The problem is there is traffic on physical ports and I can't see traffic on VLAN. For example when I execute this command show interface vlan 14. I just some kb traffic while there is more than 10Mb traffic on Fe 0/1. Same for other vlans.

Also access-lists are not working proprely. How do you guys use switches when you need to use your switch as intervlan router and access-lists on vlan or port bases?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 05/09/2007 - 22:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Bear in mind that you will only get traffic going across the vlan interface if it needs to be routed. So a server within the vlan communicating with another server in the same vlan will not traverse the layer 3 vlan interface.


You should apply access-lists to your vlan interfaces if you want to filter traffic between vlans. Best way to think of it is


Inbound access-list on vlan interface is traffic coming from that vlan and being routed off to another destination.


Outbound access-list on vlan interface is traffic coming from a remote destination and being routed onto the vlan.


HTH


Jon

jahilnt10 Wed, 05/09/2007 - 23:26
User Badges:

Hi, Thanks for reply.


My customer traffic is internet traffic and being forward/routed to upstream router. As you said I will see all L3 routed traffic in vlan interface but in my case I can't and I don't know exactly why it is.


I don't want to filter traffic between vlan, I wana filter all internet traffic which is being routed to upstream L3 on vlan interfaces for individual customer vlan.

Actions

This Discussion