IP Interface ACLS, and CEF "receive" adjacencies

Unanswered Question
Oct 2nd, 2009
User Badges:


In regards to configuring an SVI with ip address and applying the following ACL inbound:

"permit ip any"

Would ICMP packets destined to the SVI be forwarded for an ACL lookup or since this is a "receive" adjacency in CEF and its traffic destined to the control plane than would only rACL's or cOPP be needed for protection.

Please let me know and I can clarify further.

Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Sat, 10/03/2009 - 01:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Thomas,

the ACL will process ICMP packets destined to the SVI and it will allow them.

but you need to write it using wildcard mask:

permit ip any

you can test using a modified version of the ACL

access-list 111 permit icmp host

access-list 111 permit ip any

int vlan 10

ip address

no shut

ip access-group 111 in


attempting to ping should work and you should see counters increasing in first line of ACL 111


sh ip access-list 111

CoPP is more smart and it can introduce a rate-limiting action to protect CPU.

Hope to help


tbowlby1980 Sat, 10/03/2009 - 09:59
User Badges:

Hello Giuseppe,

I'm in the process of testing this today and really appreciate the feedback.

Thank you


This Discussion