I agree with Jon.

This was a 5-pointer. ;-)

Victor

That is why he has 2700 points.

Clear and succinct; just what I was looking for.

Regards,

Jimmy / Victor

Missed this one, comments much appreciated as are ratings.

Jon

Hi Jon,

We finally got around to trying to implement this, and we failed miserably. I'm not sure I made clear that only the core 4507s were routable, the access 4507s are L2 only. We think that is what is stopping us from moving off of interface VLANs on the core. Does that sound right? See you at Networkers.

Ahh okay that would change my answer then :-).

I would leave the vlan interfaces on the 4507 core switches and just make your uplinks either L2 access ports or if you need more than one vlan then make them trunks.

I would make them "no switchports" if both ends were L3 capable switches. Can't see much benefit otherwise.

Which networkers - i'm in the UK and i think ours in Europe was January just gone :-)

Jon

Jon,

Thanks for prompt reply, it was only in hindsight did I realize I left out some valuable information.

I'll be in Orlando in June; I didn't detect a accent, so I assumed you were in the states.

Go Manchester United!

Thanks again.

Jimmy

Was that a guess about Manchester United. I work in London but i'm actually from Manchester. So you guessed right.

Deserves a rating - (hope ken isn't reading this :-))

Jon

Hi Jon,

How 'bout them Red Devils!!

We always get confused when we apply an access list to an SVI. What is the rule of thumb about inbound or outbound?

Let's say data is routed from Newcastle, through London, then onto Cork. I want to block some Newcastle-sourced traffic in London from going to Cork, but allow it to the rest of London. London has SVI's. How do I do that?

Regards,

Jimmyc

Jimmy

Inbound access-list on vlan interface is for traffic generated by devices on that vlan.

Outbound access-list on vlan interface is for traffic destined for devices on that vlan.

In answer to your question you could apply the access-list on the interface that connects London to Cork. So lets say

R1 -> R2 -> L3 switch -> R3 -> R4

R1 is in Newcastle.

R2, L3 switch, R3 in London

R4 in Cork

You could apply access-list outbound on SVI interface that connects L3 switch to R3.

Or you could appply access-list inbound on R3 interface that connects to L3 switch.

Or you could apply outbound on R3 WAN interface to Cork.

Recommended way is to drop traffic as near to the source as possible however so i would apply the access-list in Newcastle and stop the traffic using any of the WAN bandwidth.

Jon

That explains it well, thanks.

As for Renaldo, maybe good for the team, maybe not.

BTY, Happy anniversary of D-Day.

My old man flew B-17 missions starting June 8, out of Rattlesden, near Bury St. Edmonds.

Oh yes, forgot to say. Very happy with our seasons football, now if we can just keep Ronaldo....

I think you have it figured out . Using SVI's allows you to put that address range onto any trunk that is feeding your L2 access switches , if you tried to change that setup thats probably why it broke . You can do what you were trying for links between routers instead of SVI's and it should not break anything. If you didn't have more than one subnet on each access switch you could do what you tried but then you would have to turn on ip routing on the access 4506's and use a default static route back to the core 4506's.

Thanks Glen,

That is exactly what happened. Looks like our initial configuration was optimal, thereby proving, once again, that if it ain't broke, don't fix it.

Regards,