[c-nsp] SVI's and extended ACL's

Mark Tohill Mark at u.tv
Fri Mar 23 11:18:24 EST 2007 

 
Thanks to Shiling and all for replies.

Where is this sort of thing documented? I couldn't see any mention of it
in 12.2SX Config Guide.

Thanks again,
Mark

-----Original Message-----
From: Ding, Shiling [mailto:sding at otc.fsu.edu] 
Sent: 23 March 2007 16:10
To: Mark Tohill
Subject: RE: [c-nsp] SVI's and extended ACL's

That's right, when you apply ACL to SVI, the out means from switch to
the VLAN network. In you case, 172.16.56.97 is the source, and
172.16.60.29 is the destination since you are trying rdt from
172.16.56.97 to 172.16.60.29.


shiling


*************************************
Shiling Ding
Networking Services
Office of Telecommunications
Florida State University
226 Shaw Building
Tallahassee, FL 32306-1120
Phone: (850)645-6810
Fax: (850)644-4554
Email: sding at otc.fsu.edu
*************************************

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tohill
Sent: Friday, March 23, 2007 11:51 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] SVI's and extended ACL's

Hi,
 
We have the following (test)config:
 
!
interface Vlan600
 description SVI_600
 ip address 172.16.60.2 255.255.255.224
 ip access-group VLAN600_INBOUND in
 ip access-group VLAN600_OUTBOUND out
 standby 100 ip 172.16.60.1
 standby 100 priority 150
 standby 100 preempt
 standby 100 authentication <removed>
end
!
!
ip access-list extended VLAN600_INBOUND
 remark ****** Established TCP
 permit tcp any any established
 remark ****** RDP
 permit tcp host 172.16.56.97 any eq 3389 log
 deny   tcp any any eq 3389 log
!
ip access-list extended VLAN600_OUTBOUND  remark ****** RDP  permit tcp
any eq 3389 host 172.16.56.97 log
 deny   tcp any any eq 3389 log


I'm trying to get RDP traffic in and out of VLAN 600 but getting the
following logging:

Mar 23 15:25:51.837 gmt: %SEC-6-IPACCESSLOGP: list VLAN600_OUTBOUND
denied tcp 172.16.56.97(45436) -> 172.16.60.29(3389), 3 packets

Despite the fact that VLAN600_OUTBOUND is applied outbound on VLAN 600,
it sees (according to the log) 172.16.56.97 as the source(???)

Is there something peculiar about SVI's and ACL's regarding direction? I
thought applying an ACL to an SVI was similar to applying to  Layer 3
interface?

Mark

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list