topic Re: access-list on VE interface blocks traffic for whole VLAN in ICX Switches

access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty — Tue, 07 May 2019 07:30:11 GMT

Hello all. I will be grateful for the help
I have applied ACL on a VE interface and it seems ACL was applied not only on VE but on physical interface too. Is it correct?
I have not found any info about it, except for "enable acl-per-port-per-vlan" but am not sure whether it is what i need.
Thank you.

Re: access-list on VE interface blocks traffic for whole VLAN

jijo_panangat — Tue, 07 May 2019 09:21:11 GMT

Hello Mielch,

A Ve on an ICX is same as an SVI on a Cisco layer-3 switch Incase you are familiar with.

For example:

vlan 100 name Example_VLAN
untag ethernet 1/1/1
router-interface ve100

interface ve 100
ip address 192.168.100.1/24

In the above, You build a VLAN, associate it with some interfaces, then associate a VE with the VLAN. That creates the map between the VLAN, interfaces, and VE. Then you configure a VE (virtual interface).
Now if you are applying an ACL to the Ve interface, it is bound to vlan 100 port.

Re: access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty — Tue, 07 May 2019 09:43:01 GMT

Hi Jijo Panangat,
thanks for answer, but it's a little bit different, so i have 3 switches with vlan 1

SW1-----------ICX-----------SW2
1.1.1.1 1.1.1.2 1.1.1.3

ICX has a config
vlan 1
untagged e 1/1/1 to e 1/1/2
router-interface ve 1
int ve 1
ip add 1.1.1.2 255.255.255.0
ip access-group TEST in

ip access-list TEST
deny ip any any

And with such a config i can't ping SW2 from SW1 and back as if there is an access-list on interfaces e 1/1/1 and 1/1/2

Re: access-list on VE interface blocks traffic for whole VLAN

jijo_panangat — Tue, 07 May 2019 10:47:30 GMT

Hello Mielch,

This is expected. The inbound packets are denied by the ACL on ports 1/1/1 & 1/1/2.

Re: access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty — Tue, 07 May 2019 11:04:57 GMT

but there are no ACL on ports 1/1/1 & 1/1/2, just on VE 1.
Can i change this behavior or just have to keep that in mind?
In cisco wolrld it is quite different and ACL on SVI doesn't block traffic on physical interfaces.

Re: access-list on VE interface blocks traffic for whole VLAN

jijo_panangat — Tue, 07 May 2019 11:25:08 GMT

Hello Mielch,

Ve 1 is mapped to vlan 1 above. so the ACL applies to the vlan 1 ports 1/1/1 & 1/1/2.

Re: access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty — Tue, 07 May 2019 11:34:03 GMT

ok, thank you for help 🙂 that's a pity though, that this behavior is not mentioned in any documentation

Re: access-list on VE interface blocks traffic for whole VLAN

jijo_panangat — Tue, 07 May 2019 11:54:26 GMT

Hello Mielch,

The use cases for 'enable acl-per-port-per-vlan' feature is covered in the following link.

http://docs.ruckuswireless.com/fastiron/08.0.70/fastiron-08070-securityguide/GUID-EA33A883-46A8-491D-BCB3-402F43A5ED69.html

http://docs.ruckuswireless.com/fastiron/08.0.70/fastiron-08070-securityguide/GUID-E82574D9-45DD-4845-A388-8D5D4D076AEE.html

http://docs.ruckuswireless.com/fastiron/08.0.70/fastiron-08070-securityguide/GUID-5F3FA3B6-93F2-4D24-A0CA-C75321216A88.html

Re: access-list on VE interface blocks traffic for whole VLAN

netwizz — Tue, 07 May 2019 12:37:01 GMT

To expound on what Jijo Panagat said:

On both platforms you put the ACL on the actual Layer-3 Interface whatever that happens to be...

ICX Device:

vlan 100 name Example_VLAN
untag ethernet 1/1/1
router-interface ve100
!

interface ve 100
port-name Some_Description_Here
ip address 192.168.100.1/24
ip access-group NAME out
!

Cisco:

vlan 100
name Example_VLAN
!

Interface GigabitEthernet1/1/1
switchport access vlan 100
switchport mode access
!

interface Vlan100
description Some_Description_Here
ip address 192.168.100.1 255.255.255.0
ip access-group NAME out
!

**********

If you want to filter egress traffic, make any rule with a source and destination, or filter a specific protocol & port such as TCP or UDP you need to use an extended access list. Either way extended access lists are more flexible in that you can also use them to match ingress traffic if you choose.

If you want to simply match the source, you can use a standard ACL. These are usually for who has access to SSH or similar though in practice.

The above example assumes an extended, named access list.

Re: access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty — Tue, 07 May 2019 13:22:40 GMT

Hi NETWizz,
Cisco doesn't block traffic on physical interfaces by applying ACL on SVI, while ICX does.

Re: access-list on VE interface blocks traffic for whole VLAN

netwizz — Tue, 07 May 2019 14:16:14 GMT

Cisco certainly blocks the traffic when you apply the ACL to an SVI. Not saying whether it logically gets dropped on on the SVI vs the physical interface, but either way the traffic gets dropped.

Case and point, I have a pair of 6509's with the 2T supervisor, and there are a couple of SVIs with ACLS, and they clearly block the traffic from passing before routing occurs.

Now, if you are saying the that I have two access-port interfaces in a VLAN, and that VLAN has an SVI that traffic does not get blocked from physical-interface to physical-interface within the same VLAN that is true. That said, it does get dropped when the SVI comes into play for layer-3 functionality like traffic leaving its layer-2 subnet and a routing table being consulted to get it to some other destination subnet.

****

Are you saying if you put an ACL on an ICX VRI (i.e. a VE), that it will also filter the traffic between multiple physical interfaces within that same VLAN if routing doesn't occur?

Just asking because usually the Cisco Software Virtual Interfaces (SVIs) and the ICX Virtual Router Interfaces (VRIs) serve predominantly as default-gateways to get off a local subnet within a given VLAN, so there is usually Layer-3 routing involved regardless of the platform.

Re: access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty — Tue, 07 May 2019 14:30:06 GMT

Are you saying if you put an ACL on an ICX VRI (i.e. a VE), that it will also filter the traffic between multiple physical interfaces within that same VLAN if routing doesn't occur?

That's the thing!

SW1-----------ICX-----------SW2
1.1.1.1 1.1.1.2 1.1.1.3

ICX has a config
vlan 1
untagged e 1/1/1 to e 1/1/2
router-interface ve 1
int ve 1
ip add 1.1.1.2 255.255.255.0
ip access-group TEST in

ip access-list TEST
deny ip any any

And with such a config i can't ping SW2 from SW1 and vice versa. I have made such an ACL on production network yesterday and got an unpleasant outage and today i am checking it in test environment and the result is the same with or without "enable acl-per-port-per-vlan" command.

Re: access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty — Fri, 10 May 2019 12:32:55 GMT

Thanks to r/Brocade on reddit i have found an explanation.
There is routing code on ICX and ve interface is like a subinterface on a cisco router other than an interface vlan on a cisco switch. Thats why the ACL behavior on VE is so.

Re: access-list on VE interface blocks traffic for whole VLAN

QuasarKid — Tue, 02 Jul 2024 18:03:35 GMT

It will absolutely block intervlan traffic if not explicitly allowed, it for some reason applies to ANY traffic in that vlan almost like a VACL. I ran into this issue a few years back, so I always put an allow statement at the beginning to and from the subnet on the VRI. Not only that, last night I moved some of my VRIs to a firewall and shut down the old interfaces on the brocade, however the ACLs were still applying to the traffic! I don’t know who designed it to work this way but I cannot see a single use-case for an ACL to apply to a shut down SVI, they certainly have a unique understanding of how ACLs should work. That little quirk lost us 3 hours of business and 10 hours of my life.