[c-nsp] VLAN Interfaces and ACLs on a 7600....am I losing my mind?

Blake Dunlap ikiris at gmail.com
Wed Jul 11 10:42:18 EDT 2012


On Tue, Jul 10, 2012 at 5:34 PM, John Neiberger <jneiberger at gmail.com>wrote:

> I'm running into something that is just baking my noodle. Imagine two
> 7600s connected via trunk:
>
> [ Router A ] ----(dot1q)--- [ Router B ]
>
> There are linux servers connected to layer two interfaces on both
> routers in VLAN 20. There are layer three interfaces configured on
> both routers on Interface Vlan 20, on which an ACL is applied. I've
> always thought that intra-vlan traffic would not be affected by ACLs
> applied to the layer three vlan interface, but we're seeing some
> pretty strange behavior. For example, if we try to ping a server
> connected to Router A from Router B, it fails...unless we change the
> DSCP markings, then it succeeds. Our ACLs do have dscp-related entries
> in them, but I don't understand why that would matter because this is
> all intra-vlan traffic.
>
> By the way, the original problem we started troubleshooting is that
> devices on the VLAN cannot ping each other even though they are all
> connected via plain jane L2 interfaces.
>
> I've always thought that a VACL would be required to affect intra-vlan
> traffic, but it sure seems like this traffic is hitting the ACL on the
> layer three interface. I'm more than willing to be wrong, or even to
> be losing my mind, but this doesn't make sense to me.  :)
>
> Any thoughts?
>
>
If you watch the traffic go across the wire, do the mac addresses line up
like they should end to end on that L2 domain, or are you seeing the L3's
MAC on the 76xx in the conversation?


-Blake


More information about the cisco-nsp mailing list