access-list on VE interface blocks traffic for whole VLAN

  • 1
  • Question
  • Updated 2 months ago
  • Answered
Hello all. I will be grateful for the help
I have applied ACL on a VE interface and it seems ACL was applied not only on VE but on physical interface too. Is it correct?
I have not found any info about it, except for "enable acl-per-port-per-vlan" but am not sure whether it is what i need.
Thank you.


Photo of mielch qwerty

mielch qwerty

  • 7 Posts
  • 0 Reply Likes

Posted 2 months ago

  • 1
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 27 Posts
  • 9 Reply Likes
Hello Mielch,


A Ve on an ICX is same as an SVI on a Cisco layer-3 switch Incase you are familiar with.

For example:

vlan 100 name Example_VLAN
 untag ethernet 1/1/1
 router-interface ve100

interface ve 100
 ip address 192.168.100.1/24

In the above, You build a VLAN, associate it with some interfaces, then associate a VE with the VLAN. That creates the map between the VLAN, interfaces, and VE. Then you configure a VE (virtual interface).
Now if you are applying an ACL to the Ve interface, it is bound to vlan 100 port.
Photo of NETWizz

NETWizz

  • 148 Posts
  • 39 Reply Likes
To expound on what Jijo Panagat said:

On both platforms you put the ACL on the actual Layer-3 Interface whatever that happens to be...


ICX Device:

vlan 100 name Example_VLAN
 untag ethernet 1/1/1
 router-interface ve100
!


interface ve 100
 port-name Some_Description_Here
 ip address 192.168.100.1/24
 ip access-group NAME out
!


Cisco:

vlan 100
 name Example_VLAN
!


Interface GigabitEthernet1/1/1
 switchport access vlan 100
 switchport mode access
!

interface Vlan100
 description Some_Description_Here
 ip address 192.168.100.1 255.255.255.0
 ip access-group NAME out
!


**********

If you want to filter egress traffic, make any rule with a source and destination, or filter a specific protocol & port such as TCP or UDP you need to use an extended access list.  Either way extended access lists are more flexible in that you can also use them to match ingress traffic if you choose.

If you want to simply match the source, you can use a standard ACL.  These are usually for who has access to SSH or similar though in practice.

The above example assumes an extended, named access list.

Photo of mielch qwerty

mielch qwerty

  • 7 Posts
  • 0 Reply Likes
Hi NETWizz,
Cisco doesn't block traffic on physical interfaces by applying ACL on SVI, while ICX does.


Photo of NETWizz

NETWizz

  • 148 Posts
  • 39 Reply Likes
Cisco certainly blocks the traffic when you apply the ACL to an SVI.  Not saying whether it logically gets dropped on on the SVI vs the physical interface, but either way the traffic gets dropped.

Case and point, I have a pair of 6509's with the 2T supervisor, and there are a couple of SVIs with ACLS, and they clearly block the traffic from passing before routing occurs.

Now, if you are saying the that I have two access-port interfaces in a VLAN, and that VLAN has an SVI that traffic does not get blocked from physical-interface to physical-interface within the same VLAN that is true.  That said, it does get dropped when the SVI comes into play for layer-3 functionality like traffic leaving its layer-2 subnet and a routing table being consulted to get it to some other destination subnet.

****

Are you saying if you put an ACL on an ICX VRI (i.e. a VE), that it will also filter the traffic between multiple physical interfaces within that same VLAN if routing doesn't occur?

Just asking because usually the Cisco Software Virtual Interfaces (SVIs) and the ICX Virtual Router Interfaces (VRIs) serve predominantly as default-gateways to get off a local subnet within a given VLAN, so there is usually Layer-3 routing involved regardless of the platform.
Photo of mielch qwerty

mielch qwerty

  • 7 Posts
  • 0 Reply Likes
Are you saying if you put an ACL on an ICX VRI (i.e. a VE), that it will also filter the traffic between multiple physical interfaces within that same VLAN if routing doesn't occur?
That's the thing!


SW1-----------ICX-----------SW2
1.1.1.1       1.1.1.2         1.1.1.3

ICX has a config
vlan 1
 untagged e 1/1/1 to e 1/1/2
 router-interface ve 1
int  ve 1
 ip add 1.1.1.2  255.255.255.0
 ip access-group TEST in

ip access-list TEST
  deny ip any any

And with such a config i can't ping SW2 from SW1 and vice versa. I have made such an ACL on production network yesterday and got an unpleasant outage and today i am checking it in test environment and the result is the same with or without "enable acl-per-port-per-vlan" command.




Photo of mielch qwerty

mielch qwerty

  • 7 Posts
  • 0 Reply Likes
Hi Jijo Panangat,
thanks for answer, but it's a little bit different, so i have 3 switches with vlan 1

SW1-----------ICX-----------SW2
1.1.1.1       1.1.1.2         1.1.1.3

ICX has a config
vlan 1
 untagged e 1/1/1 to e 1/1/2
 router-interface ve 1
int  ve 1
 ip add 1.1.1.2  255.255.255.0
 ip access-group TEST in

ip access-list TEST
  deny ip any any

And with such a config i can't ping SW2 from SW1 and back  as if there is an access-list on interfaces e 1/1/1 and 1/1/2

Photo of Jijo Panangat

Jijo Panangat, Employee

  • 27 Posts
  • 9 Reply Likes
Hello Mielch,

This is expected. The inbound packets are denied by the ACL on ports 1/1/1 & 1/1/2.
Photo of mielch qwerty

mielch qwerty

  • 7 Posts
  • 0 Reply Likes
but there are no ACL on ports 1/1/1 & 1/1/2, just on VE 1.
Can i change this behavior or just have to keep that in mind?
In cisco wolrld it is quite different and ACL on SVI doesn't block traffic on physical interfaces.
 

Photo of Jijo Panangat

Jijo Panangat, Employee

  • 27 Posts
  • 9 Reply Likes
Hello Mielch,

Ve 1 is mapped to vlan 1 above. so the ACL applies to the vlan 1 ports 1/1/1 & 1/1/2.
Photo of mielch qwerty

mielch qwerty

  • 7 Posts
  • 0 Reply Likes
ok, thank you for help :) that's a pity though, that this behavior is not mentioned in any documentation
Photo of mielch qwerty

mielch qwerty

  • 7 Posts
  • 0 Reply Likes
Thanks to r/Brocade on reddit i have found an explanation.
There is routing code on ICX and ve interface is like a subinterface on a cisco router other than an interface vlan on a cisco switch. Thats why the ACL behavior on VE is so.