03-13-2013 03:06 PM - edited 03-07-2019 12:13 PM
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface? Can someone just tell me if this is correct behavior? Thanks in advance.
03-14-2013 12:11 AM
Hi,
all traffic entering your SVI will get matched against the ACL applied inbound on this SVI even the traffic going out the routed p2p port.If it is leading to the border router you better not filter traffic if you want users from the vlan or beyond to access the internet.
Regards
Alain
Don't forget to rate helpful posts.
03-14-2013 07:32 AM
Thanks for the reply. Its not leading to a border router. All traffic is internal over this link. Each site has its own border. After posting this I realized that I have other SVIs with ACLs that work properly when sending traffic over this P2P link. This has to be something with this particular ACL. I'll just have to look deeper to see what it is. Again, thanks for the reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide