11-13-2013 12:47 AM - edited 03-07-2019 04:35 PM
Hi,
I recently observed a network where there was a fairly typical design of 2 core switches linked via port channel, the switches are configured with SVI's in the same vlan, and vrrp configured.
Access lists applied inbound on the SVIs seem to make allowances for traffic from the local vlan originating both inside and outside of the network. eg.
assuming 192.169.0.0/25 is the local vlan trying to reach a remote vlan of 10.0.0.0/25
Extended ip access list Data_Vlan_Out
10 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
20 permit ip 10.0.0.255 0.0.0.255 192.168.0.0 0.0.0.255
30 deny ip any any
will be applied to the SVI on both switches.
I assume this is being done due to the way SVIs view traffic which passes between the two switches, but it doesnt seem best practice. I was wondering if anyone could shed any light on what is actually going on here and how the design may be improved?
11-13-2013 04:01 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
No, ACL wouldn't impact traffic just moving between the two switches as L2. It will only impact the SVI which is used when traffic enters or leaves the VLAN via L3.
The ACL should be applied on both switches SVIs, both because both SVI interfaces might be used concurrently for entering the VLAN and even if one is the "hot" gateway for leaving the VLAN, it could fail then traffic would shift to the other SVI.
As to why it allows for traffic in either direction - from its (currently) described usage - that's unnecessary. Perhaps when it was defined it was also intended to be used as both an IN and OUT ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide