InterVLAN Routing

Hello Arindom

There are two fundamental differences between your config and mine. Your config is what is called a “router on a stick” where the routing takes place in the router itself. This means that any traffic from VLAN 10 to VLAN 20 for example will go to the router, be routed from the Fe0/0.10 interface to the Fe0/0.20 interface, be sent back to the switch and to the appropriate device on VLAN 20.

My config involves interVLAN routing, which is routing from one VLAN to another within the Layer 3 switch itself. In this case, routing takes place from one SVI to another, for the specific example, from the VLAN 10 interface to the VLAN 20 interface on the switch itself.

The other fundamental difference is the location and type and direction of the access lists that have been applied. In my example, I used two EXTENDED access lists that can deny or permit packets based on their source AND destination addresses, while you used a STANDARD access list that filters traffic based ONLY on the source address.

By creating two access lists and placing them on the SVI of the subnet you want to isolate and specifying that we want both directions (in and out) to be blocked AND we want to block packets regardless of source or destination IP, we verify that no traffic can go in our out of this subnet.

What you have done is created a single access list that filters based on source IP address only and filters only traffic flowing into VLAN 100.

So, when you get this result:

the ping reaches the Fe0/0.100 interface, but because the access list blocks the ping, the router responds and says that it can’t reach the destination.

When you get:

The ping goes to the router, gets routed, reaches PC2, and PC2 responds. The response reaches the router, but because of the access list on the Fe0/0.100 interface in an outgoing direction blocks it, the packet never returns and thus you get a request timed out.

PC3 can ping anywhere within the subnet (10.10.101.X) because you are not directing any traffic to the interface where the access list has been installed.

I hope this has been helpful!

Laz

1 Like