VLAN forwarding question

Brent Rockburn · ‎05-11-2009

I have a c881 router and I have three vlan interfaces, vlan1 (inside) vlan2 (outside backup int) and vlan3(inside of network #2)

I don't want vlan3 to talk to vlan1 at all, but for some reason when I put an ACL for inbound and deny ip to the vlan1 subnet I can still ping a device if I source from vlan3.

What am I doing wrong. Or is there a setting as on the ASA's to stop forwarding from one vlan to another.

Thanks,

Brent

Jon Marshall · ‎05-11-2009

Brent

If you don't want vlan3 to talk to vlan1 then you should either

1) apply the ACL outbound on vlan 1

OR

2) apply the ACL inbound on vlan 3

assuming the acl looks something like

access-list 101 deny ip

Jon

Brent Rockburn · ‎05-11-2009

Yeah, that's what I did (ACL inbound on vlan3) but I was still able to ping into the vlan1 subnet.

Jon Marshall · ‎05-11-2009

Brent

When you did the ping you used a client in vlan 3 ?

Jon

Brent Rockburn · ‎05-11-2009

What I did was run

#ping 10.x.x.x sour vlan3

Jon Marshall · ‎05-11-2009

If you did this on the router then that's why it didn't work.

Inbound acl on vlan 3 applies to packets arriving on the vlan 3 interface from clients on vlan 3. But if you sit on the router and use the source address of vlan3 the acl inbound on vlan 3 will not apply to that ping.

You need to test it from a client on the vlan 3 network.

Jon

lamav · ‎05-11-2009

Just to add to Jon's stuff...

An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.

An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.

HTH

Victor