VLAN forwarding question

Unanswered Question
May 11th, 2009
User Badges:

I have a c881 router and I have three vlan interfaces, vlan1 (inside) vlan2 (outside backup int) and vlan3(inside of network #2)


I don't want vlan3 to talk to vlan1 at all, but for some reason when I put an ACL for inbound and deny ip to the vlan1 subnet I can still ping a device if I source from vlan3.


What am I doing wrong. Or is there a setting as on the ASA's to stop forwarding from one vlan to another.


Thanks,



Brent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 05/11/2009 - 10:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brent


If you don't want vlan3 to talk to vlan1 then you should either


1) apply the ACL outbound on vlan 1


OR


2) apply the ACL inbound on vlan 3


assuming the acl looks something like


access-list 101 deny ip


Jon

Brent Rockburn Mon, 05/11/2009 - 10:51
User Badges:

Yeah, that's what I did (ACL inbound on vlan3) but I was still able to ping into the vlan1 subnet.

Jon Marshall Mon, 05/11/2009 - 10:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brent


When you did the ping you used a client in vlan 3 ?


Jon

Jon Marshall Mon, 05/11/2009 - 10:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If you did this on the router then that's why it didn't work.


Inbound acl on vlan 3 applies to packets arriving on the vlan 3 interface from clients on vlan 3. But if you sit on the router and use the source address of vlan3 the acl inbound on vlan 3 will not apply to that ping.


You need to test it from a client on the vlan 3 network.


Jon

lamav Mon, 05/11/2009 - 16:51
User Badges:
  • Blue, 1500 points or more

Just to add to Jon's stuff...


An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.


An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.


HTH


Victor

Actions

This Discussion