cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
0
Helpful
3
Replies

Catalyst 4006 ACL on SVI Confusion

m.gravel
Level 1
Level 1

I have a Catalyst 4006 version running cat4000-i5k91s-mz.122-25.EWA13.bin.

I was looking at a previously created ACL that did not make sense to me.

ACL - traffic-in

    .

    .

    ,

    650 permit tcp 172.31.201.0 0.0.0.255 host 172.31.2.43 eq 389 (6047627 matches)

    660 permit tcp host 172.31.2.43 eq 389 172.31.201.0 0.0.0.255 (12796661 matches)

    .

    .

    .

    801 deny ip any any log

This access list is applied to interface vlan 100

interface vlan 100

ip address 172.31.201.1 255.255.255.0

ip access-group traffic-in in

ip access-group traffic-out out

The excerpt from the ACL shown above contains two lines that are the reverse of each other.  My understanding would be that line 660 should be configured in the ACL traffic-out as opposed to traffic-in.  When I checked the counters I expected to see them not incrementing or even blank for line 660 however both lines in the ACL are continually incrementing.

Can anyone explain to me how line 660 can be incrementing?  The host 172.31.2.43 is in different VLAN how can its traffic be matched in the incoming direction?

I searched bug toolkit but could not find anything that looked related but perhaps I just missed something?

Thanks,

Marc

3 Replies 3

Florin Barhala
Level 6
Level 6

Remember this is a virtual interface; traffic enters it from all "switch_access_interfaces". Think your SW has two layer 2 interfaces (port 1 and port 2) and this SVI interface. At one interface you have the client and at the second one you have "the clients" that use the LDAP service.

Client sends a request to the server so traffic will match 650 line; traffic will ENTER your SVI interface coming from port 1. Then server answers with a reply. Traffic will match 660 ACL line; traffic coming from port 2 will ENTER the SVI interface.

For a better traffic control I suggest you use VACL.

Hi Florin,

Thanks for your reply.  My understanding was that traffic coming into the switch from the VLAN (100 in this case) of the SVI would be matched with the access-group command using the "in" direction.

interface vlan 100

ip address 172.31.201.1 255.255.255.0

ip access-group traffic-in in

And traffic going out to the VLAN (100) from another VLAN would be matched with the access-group command using the "out" direction.

interface vlan 100

ip address 172.31.201.1 255.255.255.0

ip access-group traffic-out out

Therefore traffic destined to 172.31.201.1 /24 from another network should be matched against the "out" access-group which traffic from the 172.31.201.0/24 network to other networks would be matched against the "in"

Am I wrong?  If so what is the significance of the "in and out" parameters on the access-group command applied to the SVI?

Marc

  You are correct, out is towards the subnet .  In means traffic comingfrom  the subnet into the router or layer 3 switch virtual interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco