cancel
Showing results for 
Search instead for 
Did you mean: 

access-list on VE interface blocks traffic for whole VLAN

mielch_qwerty
New Contributor II
Hello all. I will be grateful for the help
I have applied ACL on a VE interface and it seems ACL was applied not only on VE but on physical interface too. Is it correct?
I have not found any info about it, except for "enable acl-per-port-per-vlan" but am not sure whether it is what i need.
Thank you.


12 REPLIES 12

jijo_panangat
RUCKUS Team Member
Hello Mielch,


A Ve on an ICX is same as an SVI on a Cisco layer-3 switch Incase you are familiar with.

For example:

vlan 100 name Example_VLAN
 untag ethernet 1/1/1
 router-interface ve100

interface ve 100
 ip address 192.168.100.1/24

In the above, You build a VLAN, associate it with some interfaces, then associate a VE with the VLAN. That creates the map between the VLAN, interfaces, and VE. Then you configure a VE (virtual interface).
Now if you are applying an ACL to the Ve interface, it is bound to vlan 100 port.

To expound on what Jijo Panagat said:

On both platforms you put the ACL on the actual Layer-3 Interface whatever that happens to be...


ICX Device:

vlan 100 name Example_VLAN
 untag ethernet 1/1/1
 router-interface ve100
!


interface ve 100
 port-name Some_Description_Here
 ip address 192.168.100.1/24
 ip access-group NAME out
!


Cisco:

vlan 100
 name Example_VLAN
!


Interface GigabitEthernet1/1/1
 switchport access vlan 100
 switchport mode access
!

interface Vlan100
 description Some_Description_Here
 ip address 192.168.100.1 255.255.255.0
 ip access-group NAME out
!


**********

If you want to filter egress traffic, make any rule with a source and destination, or filter a specific protocol & port such as TCP or UDP you need to use an extended access list.  Either way extended access lists are more flexible in that you can also use them to match ingress traffic if you choose.

If you want to simply match the source, you can use a standard ACL.  These are usually for who has access to SSH or similar though in practice.

The above example assumes an extended, named access list.

Hi NETWizz,
Cisco doesn't block traffic on physical interfaces by applying ACL on SVI, while ICX does.


Cisco certainly blocks the traffic when you apply the ACL to an SVI.  Not saying whether it logically gets dropped on on the SVI vs the physical interface, but either way the traffic gets dropped.

Case and point, I have a pair of 6509's with the 2T supervisor, and there are a couple of SVIs with ACLS, and they clearly block the traffic from passing before routing occurs.

Now, if you are saying the that I have two access-port interfaces in a VLAN, and that VLAN has an SVI that traffic does not get blocked from physical-interface to physical-interface within the same VLAN that is true.  That said, it does get dropped when the SVI comes into play for layer-3 functionality like traffic leaving its layer-2 subnet and a routing table being consulted to get it to some other destination subnet.

****

Are you saying if you put an ACL on an ICX VRI (i.e. a VE), that it will also filter the traffic between multiple physical interfaces within that same VLAN if routing doesn't occur?

Just asking because usually the Cisco Software Virtual Interfaces (SVIs) and the ICX Virtual Router Interfaces (VRIs) serve predominantly as default-gateways to get off a local subnet within a given VLAN, so there is usually Layer-3 routing involved regardless of the platform.