I think I am missing a level of understanding in the behaviour of VACL's. Hopefully someone can explain. Firstly, to describe the topology, it is very simeple, 2 x 6509's, port channel between both, all relevant vlans up, trunked, active, L3 working, etc etc. The issue is, the VACL is not dropping traffic on the local switch, so, let's say there is a VACL on VLAN10 (identical on both switches) and no VACL on VLAN20. The VACL on VLAN 10 has an ACL that allows some addresses, drops others. The action for a match is to forward, denied traffic from the end of the acl will go to the implicit drop in the VACL sequence.
So, if I now do a series of extended pings, first of all on the local switch, using a physical device that lives on the switch as a destination in VLAN 20, using the VLAN10 SVI as the source, this is successful. If I do the same ping but put the VLAN 20 SVI in the destination, this also works. Vice versa is also OK. Now, if I try to make the same tests, however, I go from one switch to another to reach the destination ALL attemps fail.
Essentially, it looks like the traffic is being dropped by the VACL when it traverses both switches. It looks like the VACL is not dropping traffic when it originates and terminates on the same switch.
Am I missing a fundamental behaviour with the way the switch treats traffic that does not hop through more than one L2 hop, e.g. when on the same switch it gets routed then sent straight onto the VLAN, rather than travelling around it which is what happens when you traverse the switches?
Thanks in advance
All active are on one switch and all standby are on the other. The behaviour is the same regardless of whether you run the test from the switch with all active standby addresses or from all standby standby addresses.
Sorry I didn't read the question carefully enough.
I can only explain part of it and it is to do with the actual traffic flow and whether or not the traffic actually enters vlan 10.
When you ping from the active switch to a vlan 20 client on the active switch the traffic never enters vlan 10 because it is routed onto vlan 20, sent to the client which returns it to the SVI for vlan 20 and then it is routed to the SVI for vlan 10.
The traffic at no point enters vlan 10.
When you ping from the active switch to the SVI for vlan 20 on the standby switch this won't work because the traffic is routed onto vlan 20 on the active switch sent across the interconnect to the standby switch to the vlan 20 SVI, routed onto the vlan 10 SVI on the standby switch and then returned across the interconnect in vlan 10 so traffic is now in vlan 10.
However this does not explain why a ping to a client in vlan 20 on the standby switch doesn't work because it should ie. the traffic is routed onto vlan 20 on the active switch and then sent across the interconnect to the client. The client has to return the traffic to it's active gateway which is on the active switch so the traffic is sent back across the interconnect in vlan 20 and then routed to the SVI for vlan 10.
At no point has the traffic entered vlan 10 so it should be allowed.
And for pings from the standby switch, they should all fail.
Perhaps it is the bug suggested by Antonin or perhaps we need more details on the actual tests.
Note what is probably not helping is using the SVI for vlan 10 as the source because that means traffic doesn't always have to go through vlan 10.
A better test would be to source the pings from a client in vlan 10.