cancel
Showing results for 
Search instead for 
Did you mean: 

access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty
New Contributor II
Hello all. I will be grateful for the help
I have applied ACL on a VE interface and it seems ACL was applied not only on VE but on physical interface too. Is it correct?
I have not found any info about it, except for "enable acl-per-port-per-vlan" but am not sure whether it is what i need.
Thank you.


13 REPLIES 13

It will absolutely block intervlan traffic if not explicitly allowed, it for some reason applies to ANY traffic in that vlan almost like a VACL. I ran into this issue a few years back, so I always put an allow statement at the beginning to and from the subnet on the VRI. Not only that, last night I moved some of my VRIs to a firewall and shut down the old interfaces on the brocade, however the ACLs were still applying to the traffic! I don’t know who designed it to work this way but I cannot see a single use-case for an ACL to apply to a shut down SVI, they certainly have a unique understanding of how ACLs should work. That little quirk lost us 3 hours of business and 10 hours of my life. 

Are you saying if you put an ACL on an ICX VRI (i.e. a VE), that it will also filter the traffic between multiple physical interfaces within that same VLAN if routing doesn't occur?
That's the thing!


SW1-----------ICX-----------SW2
1.1.1.1       1.1.1.2         1.1.1.3

ICX has a config
vlan 1
 untagged e 1/1/1 to e 1/1/2
 router-interface ve 1
int  ve 1
 ip add 1.1.1.2  255.255.255.0
 ip access-group TEST in

ip access-list TEST
  deny ip any any

And with such a config i can't ping SW2 from SW1 and vice versa. I have made such an ACL on production network yesterday and got an unpleasant outage and today i am checking it in test environment and the result is the same with or without "enable acl-per-port-per-vlan" command.




mielch_qwerty
New Contributor II
Hi Jijo Panangat,
thanks for answer, but it's a little bit different, so i have 3 switches with vlan 1

SW1-----------ICX-----------SW2
1.1.1.1       1.1.1.2         1.1.1.3

ICX has a config
vlan 1
 untagged e 1/1/1 to e 1/1/2
 router-interface ve 1
int  ve 1
 ip add 1.1.1.2  255.255.255.0
 ip access-group TEST in

ip access-list TEST
  deny ip any any

And with such a config i can't ping SW2 from SW1 and back  as if there is an access-list on interfaces e 1/1/1 and 1/1/2

jijo_panangat
RUCKUS Team Member
Hello Mielch,

This is expected. The inbound packets are denied by the ACL on ports 1/1/1 & 1/1/2.

but there are no ACL on ports 1/1/1 & 1/1/2, just on VE 1.
Can i change this behavior or just have to keep that in mind?
In cisco wolrld it is quite different and ACL on SVI doesn't block traffic on physical interfaces.