IP Interface ACLS, and CEF "receive" adjacencies

Unanswered Question
Oct 2nd, 2009


In regards to configuring an SVI with ip address and applying the following ACL inbound:

"permit ip any"

Would ICMP packets destined to the SVI be forwarded for an ACL lookup or since this is a "receive" adjacency in CEF and its traffic destined to the control plane than would only rACL's or cOPP be needed for protection.

Please let me know and I can clarify further.

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Sat, 10/03/2009 - 01:45

Hello Thomas,

the ACL will process ICMP packets destined to the SVI and it will allow them.

but you need to write it using wildcard mask:

permit ip any

you can test using a modified version of the ACL

access-list 111 permit icmp host

access-list 111 permit ip any

int vlan 10

ip address

no shut

ip access-group 111 in


attempting to ping should work and you should see counters increasing in first line of ACL 111


sh ip access-list 111

CoPP is more smart and it can introduce a rate-limiting action to protect CPU.

Hope to help


tbowlby1980 Sat, 10/03/2009 - 09:59

Hello Giuseppe,

I'm in the process of testing this today and really appreciate the feedback.

Thank you


This Discussion