IP Interface ACLS, and CEF "receive" adjacencies

Unanswered Question
Oct 2nd, 2009
User Badges:

Hello,


In regards to configuring an SVI with ip address 10.10.10.1 and applying the following ACL inbound:

"permit ip 10.10.10.0 255.255.255.0 any"


Would ICMP packets destined to the SVI be forwarded for an ACL lookup or since this is a "receive" adjacency in CEF and its traffic destined to the control plane than would only rACL's or cOPP be needed for protection.


Please let me know and I can clarify further.


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Sat, 10/03/2009 - 01:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Thomas,

the ACL will process ICMP packets destined to the SVI and it will allow them.


but you need to write it using wildcard mask:

permit ip 10.10.10.0 0.0.0.255 any



you can test using a modified version of the ACL

access-list 111 permit icmp 10.10.10.0 0.0.0.255 host 10.10.10.1

access-list 111 permit ip 10.10.10.0 0.0.0.255 any


int vlan 10

ip address 10.10.10.1

no shut

ip access-group 111 in

!


attempting to ping 10.10.10.1 should work and you should see counters increasing in first line of ACL 111

with

sh ip access-list 111


CoPP is more smart and it can introduce a rate-limiting action to protect CPU.


Hope to help

Giuseppe


tbowlby1980 Sat, 10/03/2009 - 09:59
User Badges:

Hello Giuseppe,


I'm in the process of testing this today and really appreciate the feedback.


Thank you

Actions

This Discussion