[c-nsp] VLAN Interfaces and ACLs on a 7600....am I losing my mind?

John Neiberger jneiberger at gmail.com
Wed Jul 11 11:24:29 EDT 2012 

On Wed, Jul 11, 2012 at 8:53 AM, Steven Raymond
<sraymond at acedatacenter.com> wrote:
> On Jul 10, 2012, at 4:34 PM, John Neiberger wrote:
>
> I've always thought that a VACL would be required to affect intra-vlan
> traffic, but it sure seems like this traffic is hitting the ACL on the
> layer three interface. I'm more than willing to be wrong, or even to
> be losing my mind, but this doesn't make sense to me.  :)
>
>
> I was bothered by the same problem recently, 7600s/SRD code.  Had migrated
> the layer-3 duties off these onto some Brocades, but the Ciscos' SVIs were
> still up and had ACLs applied.  The Ciscos were in the layer-2 path, host
> connected to 7600, and the SVI still up with ACL applied.  The host's
> default gateway was pointing to the Brocade.  Anyway, TFTP wasn't working
> for some reason, definitely not being permitted in the 7600's ACL, but it
> wasn't _routing_, or so should work, I thought.  Shutting down just the
> Cisco's SVI in that subnet made it work.  Am sure updating the ACL would
> have also worked.
>
> So I concluded that if the Cisco is in the layer-2 switch path, at least
> some layer-3 inspection via ACLs happens, at least if it is a transit
> switch.  Even when it isn't "routing".  Yay for swouters!
>
> Somewhat related, the Brocade MLXe series does this unabashedly, and is only
> undone with the command "acl-outbound exclude-switched-traffic ipv[4|6]".
>
>

This seems like *exactly* what we're running into. So far, the end
hosts all appear to be configured correctly. We're troubleshooting now
and everything looks fine from the end device perspective. They all
have the right mask, gateway and broadcast address and they are
getting ARP replies from their neighbors with the correct MAC
addresses. I removed the L3 ACL as a test and it immediately started
working! That is so weird. I don't think I've ever seen this behavior
before. The SVI is clearly inserting itself into the path.

We're running 12.2(33)SRC4 on this box. If this you saw this feature
in SRD, it would make sense that it might be in SRC4. I wonder if this
is a "bug" or if there is some valid reason why this is happening.  At
least I know I'm not the only one who's seen this bizarre behavior.
lol

Thanks,
John

More information about the cisco-nsp mailing list