Hey everyone :)
So, I have two 6500s and a vlan trunked between them (VLANx)
Running HSRP on the VLANx
6500-1 is 10.10.10.1
6500-2 is 10.10.10.2
HSRP is active on 6500-1 with 10.10.10.3
I have an inbound ACL on both VLANx interfaces, that do not permit anything but UDP traffic.
I can ping and telnet 6500-1 10.10.10.1 ip address
I cannot ping ot telnet 6500-2 10.10.10.2
I cannot ping or telnet 6500-1 10.10.10.3 HSRP
How does that work?
I would have thought, that I would not be able to ping or telnet to any of the interfaces, as it is an inbound ACL?
Is there sommat that happens in the ACL process that says, if you are directly for me, allow it or dont pass it thru the ACL?
Im confused.com :)
3) SVI sends packet back. Yes but an inbound acl on the vlan interface would not affect that. Actually an outbound acl wouldn't either but that's to do with an outbound acl not affecting packet sourced by the router interface.
So the inbound acl on vlan X SVI never gets invoked when you ping that interface IP address. Packet from your PC never actually hits the inbound ACL - remember an inbound acl on a vlan interface affects traffic coming from devices on the vlan ie. 10.10.10.x.
And the return traffic never hits the inbound acl either.
Does this make sense ?
No prob mate.
If you have applied and ACL inbound to an SVI denying icmp/telnet then it will not be permitted.
I'm guessing you setup is as below (apart from the IP's and names) :-
ip access-list extended Test
permit udp any any
ip address 192.168.1.1 255.255.255.0
ip access-group Test in
standby 16 ip 192.168.1.3
standby 16 preempt
If so, any device on the 192.168.1.0/24 network will not be able to ping or telnet to the address, but other offnets should be able to.