[c-nsp] SVI's and extended ACL's

Mark Tohill Mark at u.tv
Fri Mar 23 11:18:24 EST 2007

Thanks to Shiling and all for replies.

Where is this sort of thing documented? I couldn't see any mention of it
in 12.2SX Config Guide.

Thanks again,

-----Original Message-----
From: Ding, Shiling [mailto:sding at otc.fsu.edu] 
Sent: 23 March 2007 16:10
To: Mark Tohill
Subject: RE: [c-nsp] SVI's and extended ACL's

That's right, when you apply ACL to SVI, the out means from switch to
the VLAN network. In you case, is the source, and is the destination since you are trying rdt from to


Shiling Ding
Networking Services
Office of Telecommunications
Florida State University
226 Shaw Building
Tallahassee, FL 32306-1120
Phone: (850)645-6810
Fax: (850)644-4554
Email: sding at otc.fsu.edu

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tohill
Sent: Friday, March 23, 2007 11:51 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] SVI's and extended ACL's

We have the following (test)config:
interface Vlan600
 description SVI_600
 ip address
 ip access-group VLAN600_INBOUND in
 ip access-group VLAN600_OUTBOUND out
 standby 100 ip
 standby 100 priority 150
 standby 100 preempt
 standby 100 authentication <removed>
ip access-list extended VLAN600_INBOUND
 remark ****** Established TCP
 permit tcp any any established
 remark ****** RDP
 permit tcp host any eq 3389 log
 deny   tcp any any eq 3389 log
ip access-list extended VLAN600_OUTBOUND  remark ****** RDP  permit tcp
any eq 3389 host log
 deny   tcp any any eq 3389 log

I'm trying to get RDP traffic in and out of VLAN 600 but getting the
following logging:

Mar 23 15:25:51.837 gmt: %SEC-6-IPACCESSLOGP: list VLAN600_OUTBOUND
denied tcp ->, 3 packets

Despite the fact that VLAN600_OUTBOUND is applied outbound on VLAN 600,
it sees (according to the log) as the source(???)

Is there something peculiar about SVI's and ACL's regarding direction? I
thought applying an ACL to an SVI was similar to applying to  Layer 3


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list