Hello all. I will be grateful for the help I have applied ACL on a VE interface and it seems ACL was applied not only on VE but on physical interface too. Is it correct? I have not found any info about it, except for "enable acl-per-port-per-vlan" but am not sure whether it is what i need. Thank you.
A Ve on an ICX is same as an SVI on a Cisco layer-3 switch Incase you are familiar with.
vlan 100 name Example_VLAN untag ethernet 1/1/1 router-interface ve100
interface ve 100 ip address 192.168.100.1/24
In the above, You build a VLAN, associate it with some interfaces, then associate a VE with the VLAN. That creates the map between the VLAN, interfaces, and VE. Then you configure a VE (virtual interface). Now if you are applying an ACL to the Ve interface, it is bound to vlan 100 port.
interface Vlan100 description Some_Description_Here ip address 192.168.100.1 255.255.255.0 ip access-group NAME out !
If you want to filter egress traffic, make any rule with a source and destination, or filter a specific protocol & port such as TCP or UDP you need to use an extended access list. Either way extended access lists are more flexible in that you can also use them to match ingress traffic if you choose.
If you want to simply match the source, you can use a standard ACL. These are usually for who has access to SSH or similar though in practice.
The above example assumes an extended, named access list.
Cisco certainly blocks the traffic when you apply the ACL to an SVI. Not saying whether it logically gets dropped on on the SVI vs the physical interface, but either way the traffic gets dropped.
Case and point, I have a pair of 6509's with the 2T supervisor, and there are a couple of SVIs with ACLS, and they clearly block the traffic from passing before routing occurs.
Now, if you are saying the that I have two access-port interfaces in a VLAN, and that VLAN has an SVI that traffic does not get blocked from physical-interface to physical-interface within the same VLAN that is true. That said, it does get dropped when the SVI comes into play for layer-3 functionality like traffic leaving its layer-2 subnet and a routing table being consulted to get it to some other destination subnet.
Are you saying if you put an ACL on an ICX VRI (i.e. a VE), that it will also filter the traffic between multiple physical interfaces within that same VLAN if routing doesn't occur?
Just asking because usually the Cisco Software Virtual Interfaces (SVIs) and the ICX Virtual Router Interfaces (VRIs) serve predominantly as default-gateways to get off a local subnet within a given VLAN, so there is usually Layer-3 routing involved regardless of the platform.