i need to understand something. i have a a cusetomer with 2 buildings connected via fibre. there is one multilayer switch in 1 building and 2 in the other. the link is trunking all vlans between the buildings. there are access lists only on one router in the second building. can you explain why the pcs in building one would ever hit an access list if the access list is not on their local multilayer switch. the access lists are vlan access lists. can you assign a pcs gateway to be the ip address of a vlan ?i can post the configs if u wish
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
cant understand this
- Thread starter mikeleahy
- Start date
Because the Layer-3 interface they hit first (their default-gateway) is the one in the other building. I assume this is the one with the ACL's attached to the Layer-3 SVI interfaces.
The logic is this - packet leaves PC on VLAN X (subnet 10.1.1.0/24) but is destined for another subnet (VLAN Y 10.1.2.0/24). Packet must go via the default-gateway. Packet travels at Layer-2 through local switch, over Trunk to switch that has the Layer-3 SVI for VLAN X. This switch permits/denies traffic if ACL's are applied to the SVI interface.
HTH
Andy
The logic is this - packet leaves PC on VLAN X (subnet 10.1.1.0/24) but is destined for another subnet (VLAN Y 10.1.2.0/24). Packet must go via the default-gateway. Packet travels at Layer-2 through local switch, over Trunk to switch that has the Layer-3 SVI for VLAN X. This switch permits/denies traffic if ACL's are applied to the SVI interface.
HTH
Andy
- Thread starter
- #4
The pc gateway will be the address of the layer 3 device interface doing the routing for the vlan he is on . The routing is done on the layer 3 device and the connectivity to that layer 3 device is extended down to the other switches via trunking . You can restrict what vlans are being allowed across that trunk if needed or wanted .
- Thread starter
- #6
i think you have misunderstood the layers that are being spoken about here , see if i can give an example
a green man (pc) can see all other green men in the same colour room (vlan ) as him, if you stick a red man in there they cant see him and he cant see them, it doesn't matter if there are lots of rooms that are all full of green men (switches) as long as there is a corriordor that allows the green men to travel along to the other green rooms if a green man wishes to talk to a red man then he needs a router to find the redman and talk to him on his behalf , ie ping - are you there says the greenman ? router sees that the greenman needs to talk to the redman thats in a different room so takes his "are you there" packet and shoves it into a red room full of red men , the redman says yes im here and sends the reply back to the router who in turn shoves that packet into the room full of green men , the green man sees the packet and has a successful ping response.
or
a pc in vlan 2 can talk to any other vlan 2 device on any switch aslong as there is a link between the two switches that is at layer 2 of the 7 layer mode ( the switching layer) if you put a point to point ip address between these two switches you break up the vlans and altho there on the same vlan number they are different vlans and will require routing for them to talk to each other the router will be directly attached or even the within the same device as the switch (some switches can route )
a green man (pc) can see all other green men in the same colour room (vlan ) as him, if you stick a red man in there they cant see him and he cant see them, it doesn't matter if there are lots of rooms that are all full of green men (switches) as long as there is a corriordor that allows the green men to travel along to the other green rooms if a green man wishes to talk to a red man then he needs a router to find the redman and talk to him on his behalf , ie ping - are you there says the greenman ? router sees that the greenman needs to talk to the redman thats in a different room so takes his "are you there" packet and shoves it into a red room full of red men , the redman says yes im here and sends the reply back to the router who in turn shoves that packet into the room full of green men , the green man sees the packet and has a successful ping response.
or
a pc in vlan 2 can talk to any other vlan 2 device on any switch aslong as there is a link between the two switches that is at layer 2 of the 7 layer mode ( the switching layer) if you put a point to point ip address between these two switches you break up the vlans and altho there on the same vlan number they are different vlans and will require routing for them to talk to each other the router will be directly attached or even the within the same device as the switch (some switches can route )
- Status