[c-nsp] VLAN Interfaces and ACLs on a 7600....am I losing my mind?
John Neiberger
jneiberger at gmail.com
Tue Jul 10 18:34:10 EDT 2012
I'm running into something that is just baking my noodle. Imagine two
7600s connected via trunk:
[ Router A ] ----(dot1q)--- [ Router B ]
There are linux servers connected to layer two interfaces on both
routers in VLAN 20. There are layer three interfaces configured on
both routers on Interface Vlan 20, on which an ACL is applied. I've
always thought that intra-vlan traffic would not be affected by ACLs
applied to the layer three vlan interface, but we're seeing some
pretty strange behavior. For example, if we try to ping a server
connected to Router A from Router B, it fails...unless we change the
DSCP markings, then it succeeds. Our ACLs do have dscp-related entries
in them, but I don't understand why that would matter because this is
all intra-vlan traffic.
By the way, the original problem we started troubleshooting is that
devices on the VLAN cannot ping each other even though they are all
connected via plain jane L2 interfaces.
I've always thought that a VACL would be required to affect intra-vlan
traffic, but it sure seems like this traffic is hitting the ACL on the
layer three interface. I'm more than willing to be wrong, or even to
be losing my mind, but this doesn't make sense to me. :)
Any thoughts?
Thanks,
John
More information about the cisco-nsp
mailing list