Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
0
Helpful
2
Replies

VLANs Routing/Access-list intresting problem

jahilnt10
Level 1
Level 1

‎05-09-2007 01:10 PM - edited ‎03-05-2019 03:58 PM

I have cisco WS-C3550-24-SMI running ip routing.

I have three customers and they fall in their own valns as listed:

interface FastEthernet0/10

switchport access vlan 10

no ip address

spanning-tree portfast

interface Vlan10

description cust2

ip address 1.1.6.37 255.255.255.252

ip access-group inbound in

ip access-group outbound out

interface FastEthernet0/11

switchport access vlan 11

no ip address

spanning-tree portfast

interface Vlan11

description cust3

ip address 1.1.7.41 255.255.255.252

ip access-group inbound in

ip access-group outbound out

Than I have another vlan the one pointing to router

interface FastEthernet0/1

switchport access vlan 14

no ip address

load-interval 30

duplex full

speed 100

spanning-tree portfast

interface Vlan14

description wireless

ip address 192.168.1.1 255.255.255.0

ip access-group inbound in

ip access-group outbound out

This all worked fine. The problem is there is traffic on physical ports and I can't see traffic on VLAN. For example when I execute this command show interface vlan 14. I just some kb traffic while there is more than 10Mb traffic on Fe 0/1. Same for other vlans.

Also access-lists are not working proprely. How do you guys use switches when you need to use your switch as intervlan router and access-lists on vlan or port bases?

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎05-09-2007 10:34 PM

Hi

Bear in mind that you will only get traffic going across the vlan interface if it needs to be routed. So a server within the vlan communicating with another server in the same vlan will not traverse the layer 3 vlan interface.

You should apply access-lists to your vlan interfaces if you want to filter traffic between vlans. Best way to think of it is

Inbound access-list on vlan interface is traffic coming from that vlan and being routed off to another destination.

Outbound access-list on vlan interface is traffic coming from a remote destination and being routed onto the vlan.

HTH

Jon

0 Helpful

jahilnt10
Level 1
Level 1
In response to Jon Marshall

‎05-09-2007 11:26 PM

Hi, Thanks for reply.

My customer traffic is internet traffic and being forward/routed to upstream router. As you said I will see all L3 routed traffic in vlan interface but in my case I can't and I don't know exactly why it is.

I don't want to filter traffic between vlan, I wana filter all internet traffic which is being routed to upstream L3 on vlan interfaces for individual customer vlan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card