cancel
Showing results for 
Search instead for 
Did you mean: 

access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty
New Contributor II
Hello all. I will be grateful for the help
I have applied ACL on a VE interface and it seems ACL was applied not only on VE but on physical interface too. Is it correct?
I have not found any info about it, except for "enable acl-per-port-per-vlan" but am not sure whether it is what i need.
Thank you.


12 REPLIES 12

Are you saying if you put an ACL on an ICX VRI (i.e. a VE), that it will also filter the traffic between multiple physical interfaces within that same VLAN if routing doesn't occur?
That's the thing!


SW1-----------ICX-----------SW2
1.1.1.1       1.1.1.2         1.1.1.3

ICX has a config
vlan 1
 untagged e 1/1/1 to e 1/1/2
 router-interface ve 1
int  ve 1
 ip add 1.1.1.2  255.255.255.0
 ip access-group TEST in

ip access-list TEST
  deny ip any any

And with such a config i can't ping SW2 from SW1 and vice versa. I have made such an ACL on production network yesterday and got an unpleasant outage and today i am checking it in test environment and the result is the same with or without "enable acl-per-port-per-vlan" command.




mielch_qwerty
New Contributor II
Hi Jijo Panangat,
thanks for answer, but it's a little bit different, so i have 3 switches with vlan 1

SW1-----------ICX-----------SW2
1.1.1.1       1.1.1.2         1.1.1.3

ICX has a config
vlan 1
 untagged e 1/1/1 to e 1/1/2
 router-interface ve 1
int  ve 1
 ip add 1.1.1.2  255.255.255.0
 ip access-group TEST in

ip access-list TEST
  deny ip any any

And with such a config i can't ping SW2 from SW1 and back  as if there is an access-list on interfaces e 1/1/1 and 1/1/2

jijo_panangat
RUCKUS Team Member
Hello Mielch,

This is expected. The inbound packets are denied by the ACL on ports 1/1/1 & 1/1/2.

but there are no ACL on ports 1/1/1 & 1/1/2, just on VE 1.
Can i change this behavior or just have to keep that in mind?
In cisco wolrld it is quite different and ACL on SVI doesn't block traffic on physical interfaces.
 

Hello Mielch,

Ve 1 is mapped to vlan 1 above. so the ACL applies to the vlan 1 ports 1/1/1 & 1/1/2.