05-11-2009 10:26 AM - edited 03-06-2019 05:39 AM
I have a c881 router and I have three vlan interfaces, vlan1 (inside) vlan2 (outside backup int) and vlan3(inside of network #2)
I don't want vlan3 to talk to vlan1 at all, but for some reason when I put an ACL for inbound and deny ip to the vlan1 subnet I can still ping a device if I source from vlan3.
What am I doing wrong. Or is there a setting as on the ASA's to stop forwarding from one vlan to another.
Thanks,
Brent
05-11-2009 10:29 AM
Brent
If you don't want vlan3 to talk to vlan1 then you should either
1) apply the ACL outbound on vlan 1
OR
2) apply the ACL inbound on vlan 3
assuming the acl looks something like
access-list 101 deny ip
Jon
05-11-2009 10:51 AM
Yeah, that's what I did (ACL inbound on vlan3) but I was still able to ping into the vlan1 subnet.
05-11-2009 10:54 AM
Brent
When you did the ping you used a client in vlan 3 ?
Jon
05-11-2009 10:56 AM
What I did was run
#ping 10.x.x.x sour vlan3
05-11-2009 10:58 AM
If you did this on the router then that's why it didn't work.
Inbound acl on vlan 3 applies to packets arriving on the vlan 3 interface from clients on vlan 3. But if you sit on the router and use the source address of vlan3 the acl inbound on vlan 3 will not apply to that ping.
You need to test it from a client on the vlan 3 network.
Jon
05-11-2009 04:51 PM
Just to add to Jon's stuff...
An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.
An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.
HTH
Victor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide