[c-nsp] SVI's and extended ACL's

Mark Tohill Mark at u.tv
Fri Mar 23 10:50:45 EST 2007


Hi,
 
We have the following (test)config:
 
!
interface Vlan600
 description SVI_600 
 ip address 172.16.60.2 255.255.255.224
 ip access-group VLAN600_INBOUND in
 ip access-group VLAN600_OUTBOUND out
 standby 100 ip 172.16.60.1
 standby 100 priority 150
 standby 100 preempt
 standby 100 authentication <removed>
end
!
!
ip access-list extended VLAN600_INBOUND
 remark ****** Established TCP
 permit tcp any any established
 remark ****** RDP
 permit tcp host 172.16.56.97 any eq 3389 log
 deny   tcp any any eq 3389 log
!
ip access-list extended VLAN600_OUTBOUND
 remark ****** RDP
 permit tcp any eq 3389 host 172.16.56.97 log
 deny   tcp any any eq 3389 log


I'm trying to get RDP traffic in and out of VLAN 600 but getting the
following logging:

Mar 23 15:25:51.837 gmt: %SEC-6-IPACCESSLOGP: list VLAN600_OUTBOUND
denied tcp 172.16.56.97(45436) -> 172.16.60.29(3389), 3 packets

Despite the fact that VLAN600_OUTBOUND is applied outbound on VLAN 600,
it sees (according to the log) 172.16.56.97 as the source(???)

Is there something peculiar about SVI's and ACL's regarding direction? I
thought applying an ACL to an SVI was similar to applying to  Layer 3
interface?

Mark



More information about the cisco-nsp mailing list