Router on a Stick

zoro_2009 · December 2015

Hi,

I have a classique router on a stick configuration, and I want to implement some of the intervlan ACLs on the switch to take the load off the router.

I've configured an ACL on the SVI to prevent communication between the hosts on both vlans, but this doesn't seem to work !

The setup is: each host receiving an IP from the router (DHCP), and the subinterface is its gateway, The switch is L3, and there 2 SVIs !

Am I missing something here ?

Thanks

bharvey92 · December 2015

Post the configurations up so we can have a look, just a punt - but could it be that you have not assigned the ACL to the correct interface?

shortstop20 · December 2015

If the router is hosting the default gateway, you are not going to be able to apply ACLs on the SVIs of the switch to block traffic between VLANs. Those ACLs would need to be applied on the router subinterfaces.

james43026 · January 2016

shortstop20 wrote: »

If the router is hosting the default gateway, you are not going to be able to apply ACLs on the SVIs of the switch to block traffic between VLANs. Those ACLs would need to be applied on the router subinterfaces.

If you simply configured ACLs and applied them to a layer 3 interface / SVI on a switch, then it's not going to have an affect on traffic that isn't passing over the layer 3 SVIs. Which in your setup traffic has no need to interact with a layer 3 SVI directly on your switch since they are using your router as a default gateway. What you need are VACLs, which is simply a route map / access map as it would be called at a layer 2 level, that can reference an ACL to filter traffic at the VLAN level. This article may help you.

Router on a Stick

Comments