Routing Between Two VLA Ns

Your configuration looks pretty good. One question, is the mask on f0/0.1 really a /30? If so, you'll want to change your ACL a little. (see below) Personally I like to hard set my speed/duplex settings, but that's just me. This is how I would configure things:

[switch] int f0/1 switchport mode trunk duplex full speed 100 [router] int f0/0 full-duplex speed 100 no ip address int f0/0.1 encapsulation dot1q 1 ip address 192.168.195.25 255.255.255.252 ip access-group no_route in int f0/0.2 encapsulation dot1q 2 ip address 172.16.98.1 255.255.255.0 ip access-group no_route in

ip access-list extended no_route deny ip 192.168.195.24 0.0.0.3 172.16.98.0 0.0.0.255 deny ip 172.16.98.0 0.0.0.255 192.168.195.24 0.0.0.3 permit ip any any

Hope this helps,

-Dan

Thank you for pointing out the discrepency between the IP address mask and the ACL wildcard mask.

Can you please explain why the access-group statement is applied to the sub-interfaces instead of f0/0?

The ACL needs to be applied to the interface that will "see" the traffic. f0/0 acts only as a layer ONE device in this case - and therefore will not "see" the layer THREE traffic you are trying to filter.

Try to think of the sub-interfaces as "real" interfaces. This makes it easier to think about.

Thank you. I see some other commands that are currently associated with F0/0 that would seem to fall into this category: ip nat inside ip nbar protocol-discovery service-policy input PMap_Vendor

I presume these should all be moved to one of the sub-interfaces as well. Is that correct?

Yes. Having them on the fa interface doesn't do anything.