[c-nsp] SVI's and extended ACL's
Mark Tohill
Mark at u.tv
Fri Mar 23 10:50:45 EST 2007
Hi,
We have the following (test)config:
!
interface Vlan600
description SVI_600
ip address 172.16.60.2 255.255.255.224
ip access-group VLAN600_INBOUND in
ip access-group VLAN600_OUTBOUND out
standby 100 ip 172.16.60.1
standby 100 priority 150
standby 100 preempt
standby 100 authentication <removed>
end
!
!
ip access-list extended VLAN600_INBOUND
remark ****** Established TCP
permit tcp any any established
remark ****** RDP
permit tcp host 172.16.56.97 any eq 3389 log
deny tcp any any eq 3389 log
!
ip access-list extended VLAN600_OUTBOUND
remark ****** RDP
permit tcp any eq 3389 host 172.16.56.97 log
deny tcp any any eq 3389 log
I'm trying to get RDP traffic in and out of VLAN 600 but getting the
following logging:
Mar 23 15:25:51.837 gmt: %SEC-6-IPACCESSLOGP: list VLAN600_OUTBOUND
denied tcp 172.16.56.97(45436) -> 172.16.60.29(3389), 3 packets
Despite the fact that VLAN600_OUTBOUND is applied outbound on VLAN 600,
it sees (according to the log) 172.16.56.97 as the source(???)
Is there something peculiar about SVI's and ACL's regarding direction? I
thought applying an ACL to an SVI was similar to applying to Layer 3
interface?
Mark
More information about the cisco-nsp
mailing list