VLAN forwarding question

Unanswered Question
May 11th, 2009

I have a c881 router and I have three vlan interfaces, vlan1 (inside) vlan2 (outside backup int) and vlan3(inside of network #2)

I don't want vlan3 to talk to vlan1 at all, but for some reason when I put an ACL for inbound and deny ip to the vlan1 subnet I can still ping a device if I source from vlan3.

What am I doing wrong. Or is there a setting as on the ASA's to stop forwarding from one vlan to another.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 05/11/2009 - 10:29


If you don't want vlan3 to talk to vlan1 then you should either

1) apply the ACL outbound on vlan 1


2) apply the ACL inbound on vlan 3

assuming the acl looks something like

access-list 101 deny ip


Brent Rockburn Mon, 05/11/2009 - 10:51

Yeah, that's what I did (ACL inbound on vlan3) but I was still able to ping into the vlan1 subnet.

Jon Marshall Mon, 05/11/2009 - 10:58

If you did this on the router then that's why it didn't work.

Inbound acl on vlan 3 applies to packets arriving on the vlan 3 interface from clients on vlan 3. But if you sit on the router and use the source address of vlan3 the acl inbound on vlan 3 will not apply to that ping.

You need to test it from a client on the vlan 3 network.


lamav Mon, 05/11/2009 - 16:51

Just to add to Jon's stuff...

An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.

An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.




This Discussion