Wired Intelligent Edge

Hello,

I'm using a VSX with two 8320 in AOS 10.03 and I want to apply some access-lists on my L3 vlan interfaces.

I've seen that I couldn't apply it on interface vlan xx but I've to go on the L2 vlan configuration. But everytime I apply one access-list on a vlan I lose the ping to one of my interface L3:

Exemple I've one 8320 with a interface vlan 10 10.0.0.1, the other 8320 with interface vlan 10 10.0.0.2 and an active-gateway 10.0.0.3. i apply my acl on vlan 10 and i can reach 10.0.0.1 but not 10.0.0.2 nor 3.

configuration:

interface vlan 10

ip address 10.0.0.1/24

active-gateway ip 10.0.0.3 mac 00:00:00:00:00:1

access-list ip TEST
10 permit any x.x.x.x/x x.x.x.x/x

vlan 10

apply access-list ip TEST in

Do I miss something?

Best Regards,

Christine

ACL are not supported on SVI.

You have 3 alternatives:

- VLAN ACL, as you selected

- Port ACL (might depend on the manageability due to nu,ber of ports)

- Policy (routed-in) on the SVI. Instead of writing an ACL, you write a class with match sequences and the policy will use drop action for the said match corresponding to a deny in the ACL.

To your point about what is missing on VLAN ACL, there is an implicit deny any any any at the end of any ACL. So you have to make sure that the traffic for different IP addresses of the given SVI is permitted before that implicit deny.

Hello,

Thanks for your answer.

But, if I take my acl and my interface vlan

interface vlan 10

ip add 10.0.0.1/24

Shall I also do?

permit any 10.0.0.0/24 10.0.0.0/24

and

vlan 10 apply acl in?

Looks like really wierd

Thank you

Correct. You need to permit any traffic that is expected to be allowed to enter (ingress) the VLAN. It does include traffic between IP addresses of same L3 subnet shared by both VSX nodes.

I don't see that as weird as this is standard and expected behaviour of a VLAN access-list.