IP Interface ACLS, and CEF "receive" adjacencies

Unanswered Question
Oct 2nd, 2009

Hello,

In regards to configuring an SVI with ip address 10.10.10.1 and applying the following ACL inbound:

"permit ip 10.10.10.0 255.255.255.0 any"

Would ICMP packets destined to the SVI be forwarded for an ACL lookup or since this is a "receive" adjacency in CEF and its traffic destined to the control plane than would only rACL's or cOPP be needed for protection.

Please let me know and I can clarify further.

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Sat, 10/03/2009 - 01:45

Hello Thomas,

the ACL will process ICMP packets destined to the SVI and it will allow them.

but you need to write it using wildcard mask:

permit ip 10.10.10.0 0.0.0.255 any

you can test using a modified version of the ACL

access-list 111 permit icmp 10.10.10.0 0.0.0.255 host 10.10.10.1

access-list 111 permit ip 10.10.10.0 0.0.0.255 any

int vlan 10

ip address 10.10.10.1

no shut

ip access-group 111 in

!

attempting to ping 10.10.10.1 should work and you should see counters increasing in first line of ACL 111

with

sh ip access-list 111

CoPP is more smart and it can introduce a rate-limiting action to protect CPU.

Hope to help

Giuseppe

tbowlby1980 Sat, 10/03/2009 - 09:59

Hello Giuseppe,

I'm in the process of testing this today and really appreciate the feedback.

Thank you

Actions

This Discussion