[c-nsp] VLAN Interfaces and ACLs on a 7600....am I losing my mind?

Steven Raymond sraymond at acedatacenter.com
Wed Jul 11 10:53:07 EDT 2012


On Jul 10, 2012, at 4:34 PM, John Neiberger wrote:

> I've always thought that a VACL would be required to affect intra-vlan
> traffic, but it sure seems like this traffic is hitting the ACL on the
> layer three interface. I'm more than willing to be wrong, or even to
> be losing my mind, but this doesn't make sense to me.  :)

I was bothered by the same problem recently, 7600s/SRD code.  Had migrated the layer-3 duties off these onto some Brocades, but the Ciscos' SVIs were still up and had ACLs applied.  The Ciscos were in the layer-2 path, host connected to 7600, and the SVI still up with ACL applied.  The host's default gateway was pointing to the Brocade.  Anyway, TFTP wasn't working for some reason, definitely not being permitted in the 7600's ACL, but it wasn't _routing_, or so should work, I thought.  Shutting down just the Cisco's SVI in that subnet made it work.  Am sure updating the ACL would have also worked.

So I concluded that if the Cisco is in the layer-2 switch path, at least some layer-3 inspection via ACLs happens, at least if it is a transit switch.  Even when it isn't "routing".  Yay for swouters!

Somewhat related, the Brocade MLXe series does this unabashedly, and is only undone with the command "acl-outbound exclude-switched-traffic ipv[4|6]".




More information about the cisco-nsp mailing list