Applying ACLs when routing between SVI and Routed Interface (no

rfranzke · ‎03-13-2013

Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface? Can someone just tell me if this is correct behavior? Thanks in advance.

cadet alain · ‎03-14-2013

Hi,

all traffic entering your SVI will get matched against the ACL applied inbound on this SVI even the traffic going out the routed p2p port.If it is leading to the border router you better not filter traffic if you want users from the vlan or beyond to access the internet.

Regards

Alain

Don't forget to rate helpful posts.

rfranzke · ‎03-14-2013

Thanks for the reply. Its not leading to a border router. All traffic is internal over this link. Each site has its own border. After posting this I realized that I have other SVIs with ACLs that work properly when sending traffic over this P2P link. This has to be something with this particular ACL. I'll just have to look deeper to see what it is. Again, thanks for the reply.

Applying ACLs when routing between SVI and Routed Interface (no switchport)