cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1570
Views
5
Helpful
4
Replies
Highlighted
Beginner

Question about switched virtual interfaces and traffic direction

My understanding of ingress/egress for a physical interface is as follows:

When traffic comes into an interface from the wire, the traffic is ingress into the interface

When traffic leaves the interface out onto the wire, the traffic is egress from the interface

But what about when the interface is an SVI?  When is the traffic ingress and when is it egress?  Is it when the traffic enters and leaves the L2 vlan or is it when the traffic enters and leaves the L3 network or is it both?   For example, I have an SVI Vlan11 and I have an access port, fa0/1, assigned to vlan11.  If the device connected to fa0/1 sends traffic would that traffic be ingress into SVI Vlan11 at the point at which the traffic hits the switch port?  Or, would the traffic coming from the connected device only be egress from SVI vlan11 if the traffic were routed off SVI vlan11 to another L3 network?  Can anybody direct me to a Cisco document that covers this question in detail?

4 REPLIES 4
Highlighted
Hall of Fame Guru

Re: Question about switched virtual interfaces and traffic direc

Traffic coming from clients in that vlan is ingress to the L3 SVI for that vlan

Traffic going to clients in that vlan is egress to the L3 SVI for that vlan

So using your example a client in vlan 11 sends traffic to a device on another vlan (vlan 12) then the traffic from the client is ingress to the L3 SVI for vlan 11 and egress on the L3 SVI for vlan 12.  When the device in vlan 12 responds the traffic is ingress to SVI for vlan 12 and egress to SVI on vlan 11.

Edit -  using acls on an SVI, an inbound acl on the SVI will affect traffic coming from clients in that vlan going to a remote subnet and an outbound acl would affect traffic coming from a remote subnet and going to clients on that vlan.

Jon

Highlighted
Beginner

Question about switched virtual interfaces and traffic direction

Jon,


Thanks for the quick response!   Quick follow-up question.  In regard to the first leg of that data flow you mentioned, is it only ingress into SVI vlan11?  Wouldn't it also be egress from SVI Vlan11 when it gets switch to Vlan12?  Or is it only ingress/egress on SVIs when going from L2 to L3 or L3 to L2?

Regards,

Steven

Highlighted
Hall of Fame Guru

Question about switched virtual interfaces and traffic direction

Steven

It's not really egress in that case because egress on vlan 11 would mean traffic leaving vlan 11 going to clients in vlan 11 and not traffic being switched between vlan interfaces. It's a bit like a physical interface if you think about it ie.

(fa0/0)  R1  (fa0/1)  -> R2

if you apply an acl to fa0/1 you have 2 choices obviously -

1) apply inbound - this filters traffic arriving from R2

2) apply outbound - this filters traffic going to R2

But egress would never apply to traffic being sent from fa0/1 through the router to fa0/0 because an acl does not control traffic moving through the device in that sense, rather it controls what traffic can enter and exit a specific interface. If it is allowed to enter the device (inbound) then there is no more filtering until it leaves the device. If it is allowed to leave the device then by definition there is no more filtering on the device.

Hope that makes sense, it's one of those things that is intuitive but can be difficult to fully explain.

Jon

Highlighted
Hall of Fame Master

Question about switched virtual interfaces and traffic direction

Hello sdavids5670,

imagine the SVI as an additional host connected to the L2 Vlan broadcast domain

traffic sent from end user devices to default gateway (= to SVI) is received by the SVI to be routed

traffic coming from another IP subnet and sent to an end user device in the L2 Vlan is outbound the SVI.

This is confirmed from behaviour of ACLs applied to an SVI:

an extended  ACL applied inbound matches on source addresses = IP addresses of the subnet with destination addresses  in other IP subnets.

An extended ACL applied outbound matches on destination address = IP addresses of the subnet associated to the Vlan.

Hope to help

Giuseppe

Content for Community-Ad