Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Ethernet subinterfaces and access-list

I am trunking between a Cat 6006 (Fast Ether) to a 3662 using 802.1Q and have subinterfaces configured for each VLAN on the 3662. Since the subinterfaces have its own subnet, I will need an access-list line for each subnet.

Where is the most efficient and effective application of the access-list? Is it on the main interface or subinterfaces?


Re: Ethernet subinterfaces and access-list


I guess you want to filter between the vlans. So in this

case you have to apply the ACL on the subinterfaces.

If you really like to filter some communication between the different

vlans i would create as many ACL's as needed and apply the ACL's on the





Re: Ethernet subinterfaces and access-list

Apply access-list to the subinterface, and have it restrict traffic as it leaves the subnet. From the router's point of view, this would be on INbound traffic from the subnet to the router.

To be redundantly secure, you can also restrict traffic as it enters a subnet; this would be traffic exiting OUTbound from the router's subinterface. But you have to take into account all the other access-lists you're applying to INbound traffic, reverse the source and destination IP addresses, and input them all in the OUTbound access-list. Do this for each subinterface. Lots of extra work, but it can still protect the other subnets if for some reason you have to take the INbound access-list off of one of the subinterfaces temporarily.

I usually just do the access-lists on traffic INbound to the router. Leaves the router with more CPU time to do things, and it's simpler to maintain. If I have to do access-list maintenance, it's off a subinterface only a short period of time.

Hope this helps.

CreatePlease to create content