From: CCIE 4 Me (ccie4me@inbox.lv)
Date: Thu Mar 02 2006 - 22:58:42 GMT-3
Ven,
It is very easy to figure out when one understands the funionality of the
SVI/VLAN.
A traffic only his the SVI interface if it is leaving the SVI's ip
subnetwork, in your case, traffic will only cross the SVI if its destination
is outside network 10.0.0.0/24, if the traffic's destination is another
10.0.0.0/24 address, access list on the SVI will achieve nothing but VACL
will be a better solution.
If the destination is a different network, VACL applied to VLAN100 or ACL
applied to the SVI will be fine as long as the traffic is IP. But I will be
weary of using VACL any day any time, it will alway be my last choice. VACL
allow you to break things faster than you can fix them. eg an innocent
looking scenario like this:
"configure your switch network to deny icmp echo from host 10.0.0.1"
If the host above is in say VLAN100, I can use ACL or VACL, when using
VACL...
access-list 109 deny icmp host 10.0.0.1 any echo
access-list 109 permit ip any any
Might not be a sufficient answer to be used in your 'vlan access-map',
because by so doing you have eliminated your ARP packets that your network
depend upon to function. The funny thing is you will not notice anything,
because everyhing will work great, but once the proctor reboots your router
and they start sending ARPs packets to find each other, there will be
problem and you will have a broken network.
So sticking an additional mac filter like 'permit mac any any 0x806 0x0'
will resolve the ARP problem, but I will avoid it where possible and use ACL
on the SVI instead.
HTH
CCIE4Me.
----- Original Message -----
From: "Venkatesh Palani" <kvpalani@gmail.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, March 02, 2006 12:08 PM
Subject: ACL on SVI
> Hi Guys,
>
> I got confused with applying ACL on to a SVI, say if I have two switches
say
> A and B and there is trunk that permits vlan 100 between them, andl each
of
> the switch has a SVI for this VLAN say switch A's SVI ip address is
> 10.0.0.1/24 and switch B SVI's IP address is 10.0.0.2/24. added to this is
> switch A connects to the rest of the network. If I want to filter traffic
> from some hosts on vlan 100 on switch B to a specific destination in the
> network, is it appropriate for me to apply an extended ACL's on switch B's
> SVI with outward direction ?
>
> The reason for this confusion is with Physical or logical interface it is
> easy to say inside and outside in reference to router CPU but with a SVI
the
> inside/outside can be seen in two different ways...
>
> any help is appreciated
>
> Thank you,
> venkatesh
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:37 GMT-3