Hi Adam,

I am really sorry, I cant post the configs, not premitted to, but the config is quite simple mate :)

I am thinking that it may be sommat platform specific that says if a packet is destined for an SVI direcly on the router, it would be allowed?

Many thx for the ultra fast response mate :))

Ken

No prob mate.

If you have applied and ACL inbound to an SVI denying icmp/telnet then it will not be permitted.

I'm guessing you setup is as below (apart from the IP's and names) :-

ip access-list extended Test

permit udp any any

VLAN 10

ip address 192.168.1.1 255.255.255.0

ip access-group Test in

standby 16 ip 192.168.1.3

standby 16 preempt

If so, any device on the 192.168.1.0/24 network will not be able to ping or telnet to the address, but other offnets should be able to.

Hey mate, that is correct. The thing is, yes, packets should be able to get to the LAN from offnets, but I should not get a reply correct?

I am getting replies from my PC to one of the 6500 interface addresses, ie, the active one. Not the HSRP address, but the physical interface?

:)

Man, you guys are quick :))

Many thx

Ken

Ken

Do you get replies if you try to ping a device on the vlan and not the 6500 interface address ?

An inbound acl on the vlan interface will not affect the ability of the vlan interface to respond to a ping and nor will it stop the packet reaching the interface, unless of course you are doing it from the vlan itself.

Jon

Anything on the LAN, I cannot ping. It is just the active (physical interface)

I am just gonna do a quick piccie :) Just so I am not confusing anyone, as I dont want to waste anyones valuable time.

Thx Jon :))

Hi Adam and Jon,

Here is a pic

Many thx

Ken

Ken

It makes sense that the PC can ping 10.10.10.1 because the packet does not go inbound on the vlan interface at any time - see previous post.

It also makes sense that you cannot ping any of the devices on the 10.10.10.x network because their responses would have to come back into vlan interface with the access-list and so would be dropped.

Where things are a little unclear is with 10.10.10.2 and 10.10.10.3. I suspect as i said before this is due to how packets enter the 6500 from your PC. Because all the L3 interfaces are virtual it can sometimes be quite difficult to envisage the path the packets take once they enter the 6500.

Jon

Hi Jon,

In ref to the diagram:

Becuase of the routing to the R1 and R2 from the core of the network, it is quite possible that traffic destined for .2 and .3 IP addresses come into R1 and then use the connected link from there to get to R2 *from* R1

So that would explain that.

BUT.

And please tell me that I am wrong. I thought that the interface .1 would also block it.

ie, process flow

1. packet comes into the router

2. router has to switch the packet to the SVI. Packet is now on the LAN (vlanx).

3. SVI now sends a packet back from the SVI (which is on vlanx) back to the destination, ie ICMP echo reply, or return telnet traffic.

4. This return packet hits SVI ACL?

5. Packet denied.

That would be the logic from my side. I asumme I am wrong :)

If so, also, do cisco document say this order of operation for the router/interface processing of the packet?

Many thanks for this guys, It is brill the responses I am getting :)

Many thx

Ken

Perfect mate.

Jon, Adam, Many thanks for the input. I am gonna store this post away so I dont forget how this works :))

Many thx indeed,

Ken

Yes, I am approx 5 hops away, not on the device itself.

The input ACLS on both 6500s only allow UDP specifica ports with a deny ip any any log at the end of it. I am not seeing any logging entries for the deny as I am getting a response.

Does that help mate?

Many thx

Ken