[c-nsp] access lists on vlan interfaces
Dale Shaw
dale.shaw+cisco-nsp at gmail.com
Tue Apr 10 20:16:19 EDT 2007
Hi Kyle,
On 4/11/07, Kyle Evans <evans.584 at osu.edu> wrote:
> For
> example, if I have vlan 100 and a vlan interface 100 with ip address
> 192.168.1.1 that serves as a gateway for 192.168.1.0/24, is traffic from
> 192.168.1.0/24 to 192.168.1.1 inbound? Or is traffic from the rest of
> the world back to 192.168.1.1 inbound?
Think of it from the router's perspective on a per-interface basis --
the directional terms "inbound" and "outbound" only mean something in
relation to the interface you're working on. Try to forget interface
"Vlan100" is virtual.
Inbound is traffic entering the router on via interface Vlan100 (i.e.
traffic from systems in 192.168.1.0/24 destined for all non-local
networks). Outbound is traffic leaving the router on interface Vlan100
(i.e. traffic from systems in other networks destined for systems in
192.168.1.0/24).
Also FYI, you can't control traffic *within* VLAN100 (i.e. contained
within the L2 VLAN) with an ACL applied on an SVI. There are other
mechanisms for that (VACLs, PVLANs etc.)
cheers,
Dale
More information about the cisco-nsp
mailing list